From ftweedal at redhat.com Fri Jul 1 01:38:38 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 11:38:38 +1000 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: <20160630133621.GA675967@mother.pipebreaker.pl> References: <20160630133621.GA675967@mother.pipebreaker.pl> Message-ID: <20160701013838.GB4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 03:36:22PM +0200, Tomasz Torcz wrote: > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: > > Hi, > > > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > > > When i want to start IPA with ipactl start i run into the situation > > starting pki-tomcat take a long time and ipactl aborts the starting > > process and shutdown services. So IPA doesnt start. > > Sounds like > https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ > I concur - it is likely to be the same issue. A new release of pki on f23 is going to happen in the next day or so. If it is the same issue, that will fix it. Cheers, Fraser From andreas.ladanyi at kit.edu Fri Jul 1 06:58:12 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 1 Jul 2016 08:58:12 +0200 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: <20160630133621.GA675967@mother.pipebreaker.pl> References: <20160630133621.GA675967@mother.pipebreaker.pl> Message-ID: <0642b5c5-2f45-2974-f1b9-527065f17fe3@kit.edu> Hi Tomasz, > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: >> Hi, >> >> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >> >> When i want to start IPA with ipactl start i run into the situation >> starting pki-tomcat take a long time and ipactl aborts the starting >> process and shutdown services. So IPA doesnt start. > Sounds like > https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ Thank you. You are right. The not imported certificate profiles in ldap during upgrade process is the problem. I solved this issue with the information of the above link. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From andreas.ladanyi at kit.edu Fri Jul 1 07:00:03 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 1 Jul 2016 09:00:03 +0200 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: <20160701013838.GB4200@dhcp-40-8.bne.redhat.com> References: <20160630133621.GA675967@mother.pipebreaker.pl> <20160701013838.GB4200@dhcp-40-8.bne.redhat.com> Message-ID: <095f4c6c-bb16-5731-e064-572c00924dfa@kit.edu> Hi Fraser. >>> Hi, >>> >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 >>> >>> When i want to start IPA with ipactl start i run into the situation >>> starting pki-tomcat take a long time and ipactl aborts the starting >>> process and shutdown services. So IPA doesnt start. >> Sounds like >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ >> > I concur - it is likely to be the same issue. A new release of pki > on f23 is going to happen in the next day or so. If it is the same > issue, that will fix it. yes it was the same issue. I could fix it. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From abokovoy at redhat.com Fri Jul 1 07:37:04 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 1 Jul 2016 10:37:04 +0300 Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: <193259965.1531799.1467310864326.JavaMail.yahoo@mail.yahoo.com> References: <193259965.1531799.1467310864326.JavaMail.yahoo.ref@mail.yahoo.com> <193259965.1531799.1467310864326.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160701073704.bfwctcictvxin5cr@redhat.com> On Thu, 30 Jun 2016, pgb205 wrote: >Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. I'm currently on vacation and don't have access to my lab, but you need to check if there are any problems with SELinux. 'ipa trust-fetch-domains' calls out via DBus to another script. It is functionally equivalent to the following command run as root: # oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test where ad.test is your AD root domain. If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this run will generate a lot of debug information. -- / Alexander Bokovoy From andreas.ladanyi at kit.edu Fri Jul 1 09:15:16 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 1 Jul 2016 11:15:16 +0200 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: <89213DDB84447F44A8E8950A5C2185E048255F2D@SJN01013.jnmain00.corp.jndata.net> References: <89213DDB84447F44A8E8950A5C2185E048255F2D@SJN01013.jnmain00.corp.jndata.net> Message-ID: Hi, > For the time being and as far as I can see until IPA 4.3.1, the procedure is messy and difficult. > The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. Is it possible to backport the working procedure from 4.3.1 to 4.2 in Fedora 23 ? > > regards, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From lkrispen at redhat.com Fri Jul 1 11:29:03 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 01 Jul 2016 13:29:03 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> Message-ID: <577653FF.1070204@redhat.com> please keep the discussion on the mailing list On 07/01/2016 01:17 PM, Omar AKHAM wrote: > Which package to install ? ipa-debuginfo? yes > > 2 other crashes last night, with a different user bind this time : > > rawdn = 0x7f620003a200 > "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" > dn = 0x7f62000238b0 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" > saslmech = 0x0 > cred = {bv_len = 9, bv_val = 0x7f6200034af0 > "nw_PA\250\063\065\067"} > be = 0x7f6254941c20 > ber_rc = > rc = 0 > sdn = 0x7f62000313f0 > bind_sdn_in_pb = 1 > referral = 0x0 > errorbuf = '\000' ... > supported = > pmech = > authtypebuf = > "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 > \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ > > 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 > > 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", '\000' > , "\002\000\000\000 \305\363Tb\177\000\000\377\377\37 > 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", > '\000' > bind_target_entry = 0x0 > > > > On 2016-06-30 18:16, Ludwig Krispenz wrote: >> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>> The crash is random, sometimes the user binds without probleme, >>> sometimes it bind and there is the error message of ipa plugin >>> without dirsrv crash. But when it crashes, this user's bind is found >>> in the new generated core file! >> ok, so the user might try or use different passwords. it could be >> helpful if you can install the debuginfo for the ipa-server package >> and get a new stack. Please post it to teh list, you can XXXXX the >> credentials in the core, although I think they will not be proper >> credentials. >> >> Ludwig >>> >>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>> >>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>> Hi, >>>>>> >>>>>> Please find strace on a core file : http://pastebin.com/v9cUzau4 >>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>> to get a better stack you would have to install also the debuginfo >>>>> for ipa-server. >>>> but tje stack matches the error messages you have seen >>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>> argument] >>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, >>>> line 225]: key encryption/encoding failed >>>> they are from the function sin the call stack. >>>> >>>> Looks like the user has a password with a \351 char: >>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} >>>> >>>> does the crash always happen with a bind from this user ? >>>> >>>>> and then someone familiar with this plugin should look into it >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>> can you get a core file ? >>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>> >>>>>>> >>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>> installed on CentOS 7 VM : >>>>>>>> >>>>>>>> Installed Packages >>>>>>>> Name : ipa-server >>>>>>>> Arch : x86_64 >>>>>>>> Version : 4.2.0 >>>>>>>> >>>>>>>> # ipactl status >>>>>>>> Directory Service: STOPPED >>>>>>>> krb5kdc Service: RUNNING >>>>>>>> kadmin Service: RUNNING >>>>>>>> ipa_memcached Service: RUNNING >>>>>>>> httpd Service: RUNNING >>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>> ipa-otpd Service: RUNNING >>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>> >>>>>>>> >>>>>>>> Before each crash, I have these messages in >>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>> >>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - >>>>>>>> [file encoding.c, line 171]: generating kerberos keys failed >>>>>>>> [Invalid argument] >>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>> encoding.c, line 225]: key encryption/encoding failed >>>>>>>> >>>>>>>> >>>>>>>> Any help? >>>>>>>> Best regards >>>>>>>> >>>>>>> >>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>> Grasbrunn, >>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>>> O'Neill, Eric Shander >>>>> >>>> >>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>> Grasbrunn, >>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>> O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From pspacek at redhat.com Fri Jul 1 11:35:24 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 1 Jul 2016 13:35:24 +0200 Subject: [Freeipa-users] AES reverse encryption plugin on userPassword attribute In-Reply-To: References: Message-ID: <7621ebde-da1f-d9d3-64d5-673f6b76e616@redhat.com> On 30.6.2016 15:30, opensauce . wrote: > Hi All, > > I need to store user passwords with reverse encryption for an application. > > I know the AES plugin is enabled and available : > > # AES, Password Storage Schemes, plugins, config > dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config > cn: AES > nsslapd-pluginDescription: AES storage scheme plugin > nsslapd-pluginEnabled: on > nsslapd-pluginId: aes-storage-scheme > nsslapd-pluginInitfunc: aes_init > nsslapd-pluginPath: libpbe-plugin > nsslapd-pluginType: reverpwdstoragescheme > nsslapd-pluginVendor: 389 Project > nsslapd-pluginVersion: 1.3.4.0 > nsslapd-pluginarg0: nsmultiplexorcredentials > nsslapd-pluginarg1: nsds5ReplicaCredentials > nsslapd-pluginprecedence: 1 > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > > How do I apply this plugin to the userPassword attribute of a single or > multiple users? Generally FreeIPA tries to hide passwords as much as possible even from admins so this is not enabled by default. You might try to experiment using 389 DS documentation [1] but there are no guarantees. [1] http://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/ -- Petr^2 Spacek From gjn at gjn.priv.at Fri Jul 1 11:35:41 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 01 Jul 2016 13:35:41 +0200 Subject: [Freeipa-users] webmaster permission Message-ID: <8388256.fBHJblrCYM@techz> Hello, I am a newbie with IPA and have big Problems ;-), the "normal" Installation is working nice. :-)) But now I have a Problem ? CentOS 7.2 IPA 4.3.1 1 Server (extern) with Virtual Systems (KVM) installed. DNSserver, Mailserver, Ipaserver,Webserver.. Now we like to have our Websystem on this Server What is the best way to allow a external Webmaster to create or modify the websites with joomla, and have the secure from IPA. Have any a hint or link for this Problem. Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Fri Jul 1 11:41:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 1 Jul 2016 13:41:02 +0200 Subject: [Freeipa-users] SRV records? In-Reply-To: <6E154351-84D2-4D32-B5D4-91A1977CEDC1@uni.lu> References: <6E154351-84D2-4D32-B5D4-91A1977CEDC1@uni.lu> Message-ID: <422e54f5-771a-0a9d-8b89-0db447acb134@redhat.com> On 30.6.2016 17:56, Christophe TREFOIS wrote: > Hi, > > I am getting a bit confused about what is possible / advised to do and how to setup SRV records for our existing setup. > > Currently, it looks like his: > > ipa1.domain.ltd > ipa2.domain.ltd > ipa3.domain.ltd > > I believe the installed domain and realm is domain.ltd (we added some other realm domains later on). > > And we use ipa1 for external user access, ipa2 for services, and ipa3 for backup (not accessed directly). > > We now want to create SRV records for this setup. > > How would they look like? > > The problem I have is that domain.ltd is also the university?s AD domain and, according to the docs, it is not recommended to do this, in any fashion. > > Would it be however, feasible, to do this via a FreeIPA-FreeIPA migration? > > Could you please share any piece of information, or dadvice on this? Unfortunately there is no way to make this work. There will be inevitable conflicts on DNS and Kerberos level. Please make sure you fully read http://www.freeipa.org/page/Deployment_Recommendations and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#server-prereqs After that the only option is to plan for new FreeIPA installation and migration. Unfortunately complete FreeIPA-FreeIPA migration is not supported either so it is mostly manual process (using hand-made scripts for your deployment). Do not hesitate to contact us if you have any questions. -- Petr^2 Spacek From pvoborni at redhat.com Fri Jul 1 11:41:53 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 1 Jul 2016 13:41:53 +0200 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: References: Message-ID: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> On 06/30/2016 04:56 PM, lejeczek wrote: > ... its own FQHN and its IP ? > > hi users, > > I'm fiddling with rewrites but being an amateur cannot figure it out, > it's on a multi/home-IP box. Is it possible? > > many thanks, > > L. > Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you -- Petr Vobornik From ftweedal at redhat.com Fri Jul 1 11:42:04 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 1 Jul 2016 21:42:04 +1000 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: <095f4c6c-bb16-5731-e064-572c00924dfa@kit.edu> References: <20160630133621.GA675967@mother.pipebreaker.pl> <20160701013838.GB4200@dhcp-40-8.bne.redhat.com> <095f4c6c-bb16-5731-e064-572c00924dfa@kit.edu> Message-ID: <20160701114204.GL4200@dhcp-40-8.bne.redhat.com> On Fri, Jul 01, 2016 at 09:00:03AM +0200, Andreas Ladanyi wrote: > Hi Fraser. > >>> Hi, > >>> > >>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > >>> > >>> When i want to start IPA with ipactl start i run into the situation > >>> starting pki-tomcat take a long time and ipactl aborts the starting > >>> process and shutdown services. So IPA doesnt start. > >> Sounds like > >> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ > >> > > I concur - it is likely to be the same issue. A new release of pki > > on f23 is going to happen in the next day or so. If it is the same > > issue, that will fix it. > yes it was the same issue. I could fix it. > > Andreas > Glad to hear it, Andreas. From pspacek at redhat.com Fri Jul 1 11:43:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 1 Jul 2016 13:43:35 +0200 Subject: [Freeipa-users] webmaster permission In-Reply-To: <8388256.fBHJblrCYM@techz> References: <8388256.fBHJblrCYM@techz> Message-ID: On 1.7.2016 13:35, G?nther J. Niederwimmer wrote: > Hello, > > I am a newbie with IPA and have big Problems ;-), > the "normal" Installation is working nice. :-)) > > But now I have a Problem ? > > CentOS 7.2 IPA 4.3.1 > 1 Server (extern) with Virtual Systems (KVM) installed. > DNSserver, Mailserver, Ipaserver,Webserver.. > > Now we like to have our Websystem on this Server > > What is the best way to allow a external Webmaster to create or modify the > websites with joomla, and have the secure from IPA. > > Have any a hint or link for this Problem. Hi, it is strongly recommended to keep FreeIPA on a separate machine / VM and do not mix it with anything else. FreeIPA should be considered as security centre of your network and having additional applications under the same operating system instance is potentially opening doors to attackers. My recommendation is to install a seperate VM for FreeIPA and another separate VM for other applications. -- Petr^2 Spacek From gjn at gjn.priv.at Fri Jul 1 12:25:33 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 01 Jul 2016 14:25:33 +0200 Subject: [Freeipa-users] webmaster permission In-Reply-To: References: <8388256.fBHJblrCYM@techz> Message-ID: <4370458.IN0kEfEpNR@techz> Hello, Am Freitag, 1. Juli 2016, 13:43:35 CEST schrieb Petr Spacek: > On 1.7.2016 13:35, G?nther J. Niederwimmer wrote: > > Hello, > > > > I am a newbie with IPA and have big Problems ;-), > > the "normal" Installation is working nice. :-)) > > > > But now I have a Problem ? > > > > CentOS 7.2 IPA 4.3.1 > > 1 Server (extern) with Virtual Systems (KVM) installed. > > DNSserver, Mailserver, Ipaserver,Webserver.. > > > > Now we like to have our Websystem on this Server > > > > What is the best way to allow a external Webmaster to create or modify the > > websites with joomla, and have the secure from IPA. > > > > Have any a hint or link for this Problem. > > Hi, > > it is strongly recommended to keep FreeIPA on a separate machine / VM and do > not mix it with anything else. FreeIPA should be considered as security > centre of your network and having additional applications under the same > operating system instance is potentially opening doors to attackers. > > My recommendation is to install a seperate VM for FreeIPA and another > separate VM for other applications. hello Petr, thanks for the answer, the install Structure is a VM with FreeIPA and enrolled clients for (VM) mailserver, httpserver, host, ........ So my Problem is, the Webmaster permission, give only the Webserver and Joomla.... Thanks, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From jpazdziora at redhat.com Fri Jul 1 12:31:53 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 1 Jul 2016 14:31:53 +0200 Subject: [Freeipa-users] webmaster permission In-Reply-To: <8388256.fBHJblrCYM@techz> References: <8388256.fBHJblrCYM@techz> Message-ID: <20160701123153.GL10043@redhat.com> On Fri, Jul 01, 2016 at 01:35:41PM +0200, G?nther J. Niederwimmer wrote: > > CentOS 7.2 IPA 4.3.1 > 1 Server (extern) with Virtual Systems (KVM) installed. > DNSserver, Mailserver, Ipaserver,Webserver.. Is the IPA server running in a VM or on the host? > Now we like to have our Websystem on this Server This server meaning yet another VM, or directly on the host? > What is the best way to allow a external Webmaster to create or modify the > websites with joomla, and have the secure from IPA. Could you be more specific about the have the secure from IPA requirement? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From rmj at ast.cam.ac.uk Fri Jul 1 12:33:13 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Fri, 1 Jul 2016 13:33:13 +0100 Subject: [Freeipa-users] How to unset a user's kerberos principal expiration date? In-Reply-To: <57751B42.90307@redhat.com> References: <57751B42.90307@redhat.com> Message-ID: <6a7e3f0b-db5d-1c67-8934-f379eb981ebb@ast.cam.ac.uk> On 30/06/16 14:14, Rob Crittenden wrote: > David Kupka wrote: >> On 29/06/16 19:05, Roderick Johnstone wrote: >>> Hi >>> >>> If I set a kerberos principal for a user to expire on a given date >>> using: >>> ipa user-mod --principal-expiration=DATE >>> is it possible to later remove this expiration date rather than just set >>> it to a time far in the future? >>> >>> Thanks >>> >>> Roderick Johnstone >>> >> >> Hello Roderick, >> AFAIK the only way to remove principal expiration at the time is remove >> krbPrincipalExpiration attribute from the user entry in DS. >> >> $ kinit admin >> Password for admin at EXAMPLE.ORG >> $ ldapmodify -Y GSSAPI >> SASL/GSSAPI authentication started >> SASL username: admin at EXAMPLE.ORG >> SASL SSF: 56 >> SASL data security layer installed. >> dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org >> changetype: modify >> delete: krbprincipalexpiration >> modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" >> >> I think that it makes sense to expose this in API. Could you please file >> RFE (https://fedorahosted.org/freeipa/newticket)? >> > > You just need to pass in a blank value: > > $ ipa user-mod --principal-expiration= > > rob Thanks both. I can indeed confirm that setting --principal-expiration= does in fact remove the kerberos expiration date. Roderick From peljasz at yahoo.co.uk Fri Jul 1 14:29:51 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 1 Jul 2016 15:29:51 +0100 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> References: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> Message-ID: <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> On 01/07/16 12:41, Petr Vobornik wrote: > On 06/30/2016 04:56 PM, lejeczek wrote: >> ... its own FQHN and its IP ? >> >> hi users, >> >> I'm fiddling with rewrites but being an amateur cannot figure it out, >> it's on a multi/home-IP box. Is it possible? >> >> many thanks, >> >> L. >> > Hi L. > > Could you describe your environment and use case in more details. It is > not clear to me what you are trying to achieve or what doesn't work for you. > > Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? thanks! From prasun.gera at gmail.com Fri Jul 1 19:42:31 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 1 Jul 2016 15:42:31 -0400 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: References: <89213DDB84447F44A8E8950A5C2185E048255F2D@SJN01013.jnmain00.corp.jndata.net> Message-ID: There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed in 7.3, that would be great, especially for Lets Encrypt certs (even without auto-renewal) On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyi wrote: > Hi, > > For the time being and as far as I can see until IPA 4.3.1, the > procedure is messy and difficult. > > The following thread will be a big help: > > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > > > I think I succeeded at last, but further tests remain. > Is it possible to backport the working procedure from 4.3.1 to 4.2 in > Fedora 23 ? > > > > > regards, > Andreas > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From joannadelaporte at gmail.com Fri Jul 1 20:09:27 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Fri, 1 Jul 2016 15:09:27 -0500 Subject: [Freeipa-users] IPA and NFSv4 with krb5 security In-Reply-To: References: Message-ID: Which services actually need to be running for Kerberized NFS? On the server and client sides? What needs to be enabled? When I go through the list in the RHEL 7 Domain Auth guide (p 271), I cannot get rpcsvcgssd.service to start. It doesn't give any errors when I send it a start command, but status always shows it as condition failed, and inactive (dead). I also cannot enable it, with the error "No such file or directory." Is this deprecated/replaced with some other service for rpc gss server-side service? On Thu, Jun 30, 2016 at 3:05 PM, Youenn PIOLET wrote: > Hi, > First questions (sorry if it's obvious): > - Do you have a valid token on the client? (obtained with kinit) > - Did you import the keytab for NFS service on the server? > - Did you put "domain = yourdomain.tld" in your NFS server config file? On > your client? > - Depending on your (ipa? nfs?) version you may have to enable weak crypto > (I saw this everywhere but never had to do it for a reason I still ignore) > > I'm far from being the most informed people on this list, but I think it > may be the first things to check. > > Hope this helps, > Regards > -- > Youenn Piolet > piolet.y at gmail.com > > > 2016-06-30 21:47 GMT+02:00 Joanna Delaporte : > >> I need some pointers for getting NFSv4 to use krb5 authorization in my >> IPA realm. >> >> My realm is new. I have just migrated some users from an NIS domain to >> the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS >> server and client, and automaps using the recommended methods in the RHEL 7 >> Storage and Domain Auth/Policy guides. >> >> In the exports file on the nfsserver, as long as I >> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. >> However, when I remove sys, I no longer am able to mount. I have >> root_squash set. >> >> Automount hangs when I restart it, while trying to mount the first NFS >> directory. >> >> If I try to mount on the command line, I get this: >> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt >> mount.nfs4: access denied by server while mounting arcturus:/ >> >> If I take out sec=krb5, it works. It just rolls back to sec=sys >> (confirmed with mountstats). >> I am not seeing anything related to the mount attempts on the nfsserver >> logs, but I'm not sure I am looking in the right logs. >> >> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd >> error or access logs. >> >> What am I missing? >> >> Thanks! >> Joanna >> >> >> >> -- >> >> >> Joanna Delaporte >> Linux Systems Administrator | Parkland College >> joannadelaporte at gmail.com >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From larry.rosen at JDRSolutions.com Fri Jul 1 19:25:57 2016 From: larry.rosen at JDRSolutions.com (Larry Rosen) Date: Fri, 1 Jul 2016 19:25:57 +0000 Subject: [Freeipa-users] Creating roles tutorial/how-to Message-ID: <79B7CEE400C91A4C9FD8BF082D822607204D52@JDRPDC.JDRSolutions.local> Are there any tutorials/how to's to guide how to create roles? The docs simply go through filling out the forms, but is there any resource about how roles are generally used and the required relationships? This is the closest thing I have found: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ I don't understand how to limit various permissions/privileges to specific users or groups. I want a role to manage only the users of a certain group: i.e. a user that can add, modify, delete user accounts and set/reset/unlock passwords for one group. Larry -------------- next part -------------- An HTML attachment was scrubbed... URL: From joannadelaporte at gmail.com Fri Jul 1 20:53:45 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Fri, 1 Jul 2016 15:53:45 -0500 Subject: [Freeipa-users] HBAC rules for NFS Message-ID: I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am starting to wonder if I don't have HBAC rules set up correctly. I installed freeIPA with --no_hbac_allow. I have an HBAC service defined as an nfs service: $ ipa hbacsvc-add --desc="NFS service" nfs I have an HBAC rule that allows all users to access all services on a group of hosts. My nfsclient is in that group. Is that enough to allow users rights to mount nfs shares? Do I need some sort of HBAC between the nfsclient and the nfsserver? Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jul 1 20:59:21 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 1 Jul 2016 23:59:21 +0300 Subject: [Freeipa-users] HBAC rules for NFS In-Reply-To: References: Message-ID: <20160701205921.t5sz4moo4so7xpc4@redhat.com> On Fri, 01 Jul 2016, Joanna Delaporte wrote: >I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am >starting to wonder if I don't have HBAC rules set up correctly. I >installed freeIPA with --no_hbac_allow. > >I have an HBAC service defined as an nfs service: >$ ipa hbacsvc-add --desc="NFS service" nfs > >I have an HBAC rule that allows all users to access all services on a group >of hosts. My nfsclient is in that group. > >Is that enough to allow users rights to mount nfs shares? Do I need some >sort of HBAC between the nfsclient and the nfsserver? HBAC is not involved at all for NFS use. Remember, HBAC checks are run by SSSD when it is called by PAM session setup. There is nothing like that for NFS mounts. Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ? -- / Alexander Bokovoy From joannadelaporte at gmail.com Fri Jul 1 22:07:52 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Fri, 1 Jul 2016 17:07:52 -0500 Subject: [Freeipa-users] HBAC rules for NFS In-Reply-To: <20160701205921.t5sz4moo4so7xpc4@redhat.com> References: <20160701205921.t5sz4moo4so7xpc4@redhat.com> Message-ID: Hi Alexander, Thanks for the link. I read through it again, and I am still stuck on the rpcgss service on the server...I don't know how to properly restart it. The service in the documents is service nfs-secure-server enable (FC16), or rpcsvcgssd.service (RH7), but I cannot enable using those. I killed rpc.gssd process on the client and restarted manually with rpc.gssd -vvv, which gave me more output. There is a flag set in /etc/sysconfig/nfs which should have already been giving that output, but it never took effect, even though I restarted nfs-server and nfs-secure-server. What is the right way to restart rpcgssd.service and rpcsvcgssd.service? Anyway, after manually killing and executing rpc.gssd, the homedir automounts with krb5p when I ssh to the machine (yay - first time!), but the files are owned by nobody. I cannot access the files as the owner. The UID of the file owner is low (between 500-1000), so I had to change the user's UID just to be able to login (<1000 is blocked by PAM). Maybe the fact that the user with a matching UID doesn't exist is causing a problem in mapping the files' owner to a user? If so, how do I most efficiently map the name of the file owner to the user with a different numerical UID? I had hoped the kerberos auth might handle this for me. The homedir does not mount when I su from root (not particularly a problem, but it was muddling the issue). This clued me in: rpc.gssd[9928]: No key table entry found for root/nfsclient.domain.tld. Thank you! Joanna On Fri, Jul 1, 2016 at 3:59 PM, Alexander Bokovoy wrote: > On Fri, 01 Jul 2016, Joanna Delaporte wrote: > >> I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am >> starting to wonder if I don't have HBAC rules set up correctly. I >> installed freeIPA with --no_hbac_allow. >> >> I have an HBAC service defined as an nfs service: >> $ ipa hbacsvc-add --desc="NFS service" nfs >> >> I have an HBAC rule that allows all users to access all services on a >> group >> of hosts. My nfsclient is in that group. >> >> Is that enough to allow users rights to mount nfs shares? Do I need some >> sort of HBAC between the nfsclient and the nfsserver? >> > HBAC is not involved at all for NFS use. Remember, HBAC checks are run > by SSSD when it is called by PAM session setup. There is nothing like > that for NFS mounts. > > Have you read http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA ? > > > -- > / Alexander Bokovoy > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 1 22:45:25 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 1 Jul 2016 18:45:25 -0400 Subject: [Freeipa-users] Creating roles tutorial/how-to In-Reply-To: <79B7CEE400C91A4C9FD8BF082D822607204D52@JDRPDC.JDRSolutions.local> References: <79B7CEE400C91A4C9FD8BF082D822607204D52@JDRPDC.JDRSolutions.local> Message-ID: <5776F285.9070800@redhat.com> Larry Rosen wrote: > Are there any tutorials/how to?s to guide how to create roles? The docs > simply go through filling out the forms, but is there any resource about > how roles are generally used and the required relationships? > > This is the closest thing I have found: > http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ > > I don?t understand how to limit various permissions/privileges to > specific users or groups. > > I want a role to manage only the users of a certain group: i.e. a user > that can add, modify, delete user accounts and set/reset/unlock > passwords for one group. The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role. Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role. You add the privileges you want that role to have, then you add the groups you want, and that should do it. A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions. An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password. For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these. rob From joshua at azariah.com Sat Jul 2 20:00:37 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Sat, 02 Jul 2016 12:00:37 -0800 Subject: [Freeipa-users] Small bug in ipa-backup file naming Message-ID: <2679299.lx89Te7ZsQ@hosanna> Was just playing around with the ipa-backup scripts for a client. Ran ipa- backup, and the backup was successfully placed in /var/lib/ipa/backup/ipa- full-2016-07-02-11-54-58. Went to view ipa-full.tar, and discovered it's actually a tar.gz file. This is FreeIPA 4.2.0 on CentOS 7. Is this known? Or should I open a bug? j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From joshua at azariah.com Sat Jul 2 20:01:49 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Sat, 02 Jul 2016 12:01:49 -0800 Subject: [Freeipa-users] Password sync settings not working In-Reply-To: References: <1711638.VYOPI54qdq@hosanna> Message-ID: <1671523.bhMpoLTfq6@hosanna> Thanks. In a case of extreme PEBKAC, I had copied the example and failed to update the DN. It works now. j On Monday, June 13, 2016 09:35:53 Martin Kosek wrote: > On 06/10/2016 01:59 AM, Joshua J. Kugler wrote: > > Howdy! > > > > We are trying to set up password sync. I have read this: > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h > > tml-single/Windows_Integration_Guide/index.html#password-sync > > > > I have added that attribute: > > echo -e 'dn: cn=ipa_pwd_extop,cn=plugins,cn=config\nchangetype: > > modify\nadd: passSyncManagersDNs\npassSyncManagersDNs: > > uid=admin,cn=users,cn=accounts,dc=example,dc=com' | ldapmodify -x -D > > 'cn=Directory Manager' -w {{ ipaserver_dir_admin_password }} -h localhost > > -p 389 > > > > However, when I reset a password as the 'admin' user, the user's password > > is still set to expired. This is CentOS 7 with the latest FreeIPA there. > > > > What might I be missing? > > I would try to double check that the passSyncManagersDNs is indeed filled > properly in the plugin configuration. Base ldapsearch will help. > > Then I would also recommend checking your global password policy "ipa > pwpolicy-show" to make sure that you for example do not have the password > max life set to 0, which would cause this behavior in current FreeIPA > version. > > Martin -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From gjn at gjn.priv.at Sun Jul 3 12:19:18 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 03 Jul 2016 14:19:18 +0200 Subject: [Freeipa-users] Kerberois FreeIPA Question Message-ID: <3361636.LggxkKZKMZ@techz> Hello, Is it possible to create a kerberos Ticket for a secondary domain ? CentOS 7.2 IPA 4.3.1 My installing, I have a IPAServer for Domain test.com LDAP & Kerberos TEST.COM now i like to include a other Domain new.net Is it possible to have for this domain also a kerberos ticket ? I found a example in a krb5.conf like this [domain_realm] .test.com = TEST.COM .new.net = TEST.COM ... is this possible with FreeIPA ? Thanks for a answer -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From dev at mdfive.dz Sun Jul 3 13:04:09 2016 From: dev at mdfive.dz (Omar AKHAM) Date: Sun, 03 Jul 2016 15:04:09 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <577653FF.1070204@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> Message-ID: Where can i find core file of ipa-server? On 2016-07-01 13:29, Ludwig Krispenz wrote: > please keep the discussion on the mailing list > On 07/01/2016 01:17 PM, Omar AKHAM wrote: >> Which package to install ? ipa-debuginfo? > yes >> >> 2 other crashes last night, with a different user bind this time : >> >> rawdn = 0x7f620003a200 >> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >> dn = 0x7f62000238b0 >> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >> saslmech = 0x0 >> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >> "nw_PA\250\063\065\067"} >> be = 0x7f6254941c20 >> ber_rc = >> rc = 0 >> sdn = 0x7f62000313f0 >> bind_sdn_in_pb = 1 >> referral = 0x0 >> errorbuf = '\000' ... >> supported = >> pmech = >> authtypebuf = >> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >> '\000' , "\002\000\000\000 >> \305\363Tb\177\000\000\377\377\37 >> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >> '\000' >> bind_target_entry = 0x0 >> >> >> >> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>> The crash is random, sometimes the user binds without probleme, >>>> sometimes it bind and there is the error message of ipa plugin >>>> without dirsrv crash. But when it crashes, this user's bind is found >>>> in the new generated core file! >>> ok, so the user might try or use different passwords. it could be >>> helpful if you can install the debuginfo for the ipa-server package >>> and get a new stack. Please post it to teh list, you can XXXXX the >>> credentials in the core, although I think they will not be proper >>> credentials. >>> >>> Ludwig >>>> >>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>> >>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Please find strace on a core file : http://pastebin.com/v9cUzau4 >>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>> to get a better stack you would have to install also the debuginfo >>>>>> for ipa-server. >>>>> but tje stack matches the error messages you have seen >>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>>> argument] >>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>> encoding.c, >>>>> line 225]: key encryption/encoding failed >>>>> they are from the function sin the call stack. >>>>> >>>>> Looks like the user has a password with a \351 char: >>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} >>>>> >>>>> does the crash always happen with a bind from this user ? >>>>> >>>>>> and then someone familiar with this plugin should look into it >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>> can you get a core file ? >>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>> >>>>>>>> >>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>> installed on CentOS 7 VM : >>>>>>>>> >>>>>>>>> Installed Packages >>>>>>>>> Name : ipa-server >>>>>>>>> Arch : x86_64 >>>>>>>>> Version : 4.2.0 >>>>>>>>> >>>>>>>>> # ipactl status >>>>>>>>> Directory Service: STOPPED >>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>> kadmin Service: RUNNING >>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>> httpd Service: RUNNING >>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>> >>>>>>>>> >>>>>>>>> Before each crash, I have these messages in >>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>> >>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - >>>>>>>>> [file encoding.c, line 171]: generating kerberos keys failed >>>>>>>>> [Invalid argument] >>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>> encoding.c, line 225]: key encryption/encoding failed >>>>>>>>> >>>>>>>>> >>>>>>>>> Any help? >>>>>>>>> Best regards >>>>>>>>> >>>>>>>> >>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>> Grasbrunn, >>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>>>> O'Neill, Eric Shander >>>>>> >>>>> >>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>> Grasbrunn, >>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>> O'Neill, Eric Shander From pgb205 at yahoo.com Mon Jul 4 03:36:06 2016 From: pgb205 at yahoo.com (pgb205) Date: Mon, 4 Jul 2016 03:36:06 +0000 (UTC) Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: <20160701073704.bfwctcictvxin5cr@redhat.com> References: <193259965.1531799.1467310864326.JavaMail.yahoo.ref@mail.yahoo.com> <193259965.1531799.1467310864326.JavaMail.yahoo@mail.yahoo.com> <20160701073704.bfwctcictvxin5cr@redhat.com> Message-ID: <1418706071.801742.1467603366130.JavaMail.yahoo@mail.yahoo.com> Selinux is disabled on the server. However, I managed to fix the problem buy adding the AD.DOMAIN {}? section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like?[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...} AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...} this had the desired effect although I am not 100 clear on why this worked. My theory is that we have multiple domain controllers and of course the addomain.com forward zone that was configured prior?returns a full list. Only the ports to the one ad.dc.addomain.com server have been opened between the ipa and ad servers and so?when trust command is executed connection goes to some domain controller that IPA can't connect to, eventually generating an error. Just a theory for now. thanks From: Alexander Bokovoy To: pgb205 Cc: "bentech4you at gmail.com" ; Freeipa-users Sent: Friday, July 1, 2016 3:37 AM Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing. On Thu, 30 Jun 2016, pgb205 wrote: >Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. I'm currently on vacation and don't have access to my lab, but you need to check if there are any problems with SELinux. 'ipa trust-fetch-domains' calls out via DBus to another script. It is functionally equivalent to the following command run as root: # oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test where ad.test is your AD root domain. If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this run will generate a lot of debug information. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 4 04:02:59 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 4 Jul 2016 07:02:59 +0300 Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: <1418706071.801742.1467603366130.JavaMail.yahoo@mail.yahoo.com> References: <193259965.1531799.1467310864326.JavaMail.yahoo.ref@mail.yahoo.com> <193259965.1531799.1467310864326.JavaMail.yahoo@mail.yahoo.com> <20160701073704.bfwctcictvxin5cr@redhat.com> <1418706071.801742.1467603366130.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160704040259.33yzk72zdouj6a44@redhat.com> On Mon, 04 Jul 2016, pgb205 wrote: >Selinux is disabled on the server. However, I managed to fix the problem buy adding the AD.DOMAIN {}? >section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like?[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...} >AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...} >this had the desired effect although I am not 100 clear on why this worked. >My theory is that we have multiple domain controllers and of course the >addomain.com forward zone that was configured prior?returns a full >list. Only the ports to the one ad.dc.addomain.com server have been >opened between the ipa and ad servers and so?when trust command is >executed connection goes to some domain controller that IPA can't >connect to, eventually generating an error. Just a theory for now. It is a totally plausible theory -- when we do trust-fetch-domains, we try to use Kerberos authentication against AD DCs. Forcing IPA master to use specific domain controller via krb5.conf should help here. Note that you'll need to have a similar stanza on each IPA client as well because authentication happens directly to AD DCs and SSSD on IPA clients will have to do the same job using AD user credentials in case of password logons. >thanks > > From: Alexander Bokovoy > To: pgb205 >Cc: "bentech4you at gmail.com" ; Freeipa-users > Sent: Friday, July 1, 2016 3:37 AM > Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing. > >On Thu, 30 Jun 2016, pgb205 wrote: >>Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. >I'm currently on vacation and don't have access to my lab, but you need >to check if there are any problems with SELinux. 'ipa >trust-fetch-domains' calls out via DBus to another script. It is >functionally equivalent to the following command run as root: > ># oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test > >where ad.test is your AD root domain. > >If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this >run will generate a lot of debug information. > > >-- >/ Alexander Bokovoy > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From pspacek at redhat.com Mon Jul 4 06:59:19 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 4 Jul 2016 08:59:19 +0200 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> References: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> Message-ID: On 1.7.2016 16:29, lejeczek wrote: > > > On 01/07/16 12:41, Petr Vobornik wrote: >> On 06/30/2016 04:56 PM, lejeczek wrote: >>> ... its own FQHN and its IP ? >>> >>> hi users, >>> >>> I'm fiddling with rewrites but being an amateur cannot figure it out, >>> it's on a multi/home-IP box. Is it possible? >>> >>> many thanks, >>> >>> L. >>> >> Hi L. >> >> Could you describe your environment and use case in more details. It is >> not clear to me what you are trying to achieve or what doesn't work for you. >> >> Thank you > gee, I though my scenario would be quite common among users, > take a box with more then one net ifs, or even multiple IPs - what would be > nice to have is fIPA webui resides/runs only on that FQHN and that IP to which > hostname resolves. Eg, here is one single system: > box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) > ipa.my.dom.local 10.10.1.2 > currently I get fIPA's webui everywhere, but I'd like it to be only at > ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) > I think it would be great to have included (maybe as comments/options) this in > Apache's configs of IPA furure releases, if possible. > Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? -- Petr^2 Spacek From pspacek at redhat.com Mon Jul 4 07:01:29 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 4 Jul 2016 09:01:29 +0200 Subject: [Freeipa-users] Small bug in ipa-backup file naming In-Reply-To: <2679299.lx89Te7ZsQ@hosanna> References: <2679299.lx89Te7ZsQ@hosanna> Message-ID: <0f3bd0c8-8a8d-9261-c3d3-9f73cfed2657@redhat.com> On 2.7.2016 22:00, Joshua J. Kugler wrote: > Was just playing around with the ipa-backup scripts for a client. Ran ipa- > backup, and the backup was successfully placed in /var/lib/ipa/backup/ipa- > full-2016-07-02-11-54-58. Went to view ipa-full.tar, and discovered it's > actually a tar.gz file. This is FreeIPA 4.2.0 on CentOS 7. > > Is this known? Or should I open a bug? Please open a ticket: https://fedorahosted.org/freeipa/newticket Thank you! -- Petr^2 Spacek From lkrispen at redhat.com Mon Jul 4 07:39:55 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 04 Jul 2016 09:39:55 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> Message-ID: <577A12CB.8090702@redhat.com> On 07/03/2016 03:04 PM, Omar AKHAM wrote: > Where can i find core file of ipa-server? you still need to look for the core file of slapd, but IPA deploys plugins for slapd and that is why you need the debuginfo for ipa-server for a better analysis of the slapd core. > > On 2016-07-01 13:29, Ludwig Krispenz wrote: >> please keep the discussion on the mailing list >> On 07/01/2016 01:17 PM, Omar AKHAM wrote: >>> Which package to install ? ipa-debuginfo? >> yes >>> >>> 2 other crashes last night, with a different user bind this time : >>> >>> rawdn = 0x7f620003a200 >>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>> dn = 0x7f62000238b0 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>> saslmech = 0x0 >>> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >>> "nw_PA\250\063\065\067"} >>> be = 0x7f6254941c20 >>> ber_rc = >>> rc = 0 >>> sdn = 0x7f62000313f0 >>> bind_sdn_in_pb = 1 >>> referral = 0x0 >>> errorbuf = '\000' ... >>> supported = >>> pmech = >>> authtypebuf = >>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >>> '\000' , "\002\000\000\000 >>> \305\363Tb\177\000\000\377\377\37 >>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >>> '\000' >>> bind_target_entry = 0x0 >>> >>> >>> >>> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>>> The crash is random, sometimes the user binds without probleme, >>>>> sometimes it bind and there is the error message of ipa plugin >>>>> without dirsrv crash. But when it crashes, this user's bind is >>>>> found in the new generated core file! >>>> ok, so the user might try or use different passwords. it could be >>>> helpful if you can install the debuginfo for the ipa-server package >>>> and get a new stack. Please post it to teh list, you can XXXXX the >>>> credentials in the core, although I think they will not be proper >>>> credentials. >>>> >>>> Ludwig >>>>> >>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>>> >>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Please find strace on a core file : http://pastebin.com/v9cUzau4 >>>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>>> to get a better stack you would have to install also the >>>>>>> debuginfo for ipa-server. >>>>>> but tje stack matches the error messages you have seen >>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>>>> argument] >>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>> encoding.c, >>>>>> line 225]: key encryption/encoding failed >>>>>> they are from the function sin the call stack. >>>>>> >>>>>> Looks like the user has a password with a \351 char: >>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} >>>>>> >>>>>> does the crash always happen with a bind from this user ? >>>>>> >>>>>>> and then someone familiar with this plugin should look into it >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> >>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>>> can you get a core file ? >>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>>> >>>>>>>>> >>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>>> installed on CentOS 7 VM : >>>>>>>>>> >>>>>>>>>> Installed Packages >>>>>>>>>> Name : ipa-server >>>>>>>>>> Arch : x86_64 >>>>>>>>>> Version : 4.2.0 >>>>>>>>>> >>>>>>>>>> # ipactl status >>>>>>>>>> Directory Service: STOPPED >>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>> httpd Service: RUNNING >>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Before each crash, I have these messages in >>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>>> >>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - >>>>>>>>>> [file encoding.c, line 171]: generating kerberos keys failed >>>>>>>>>> [Invalid argument] >>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>>> encoding.c, line 225]: key encryption/encoding failed >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Any help? >>>>>>>>>> Best regards >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>> Grasbrunn, >>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>>>>> O'Neill, Eric Shander >>>>>>> >>>>>> >>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>> Grasbrunn, >>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>> O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From wouter.hummelink at kpn.com Mon Jul 4 07:40:35 2016 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Mon, 4 Jul 2016 07:40:35 +0000 Subject: [Freeipa-users] Duplicate serials in issued ipa certs In-Reply-To: <2CA71D6C07ADB544847562573DC6BF062AE87DA1@CPEMS-KPN309.KPNCNL.LOCAL> References: <2CA71D6C07ADB544847562573DC6BF062AE834E7@CPEMS-KPN309.KPNCNL.LOCAL> <20160508231022.GB1237@dhcp-40-8.bne.redhat.com> <2CA71D6C07ADB544847562573DC6BF062AE87DA1@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: <2CA71D6C07ADB544847562573DC6BF062AF2B72D@CPEMS-KPN309.KPNCNL.LOCAL> I haven't had time to get back on this, but I still have this issue with a few certificates having been issued with identical serials. Since the API busts on any resource hit by this I'm at a bit of a loss how to proceed. I've tried manually deleting the offending certificate from the host, but can't seem to figure out how to have ldapmodify accept the change. -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of wouter.hummelink at kpn.com Sent: maandag 9 mei 2016 07:49 To: ftweedal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Duplicate serials in issued ipa certs All 4 of our ipa servers are RHEL7.2 with IPA 4.2. Last august the original CA master was damaged so I moved the CRL role to another server, decommissioned the machine and deleted all the replication agreements and rebuilt the machine. That machine now appears to have issued the certs that have duplicated serials. My immediate problem now is however that I can't deprovision the machine that one of these certs was issued for, nor can I revoke the certs. What would be the proper way to remove these certs from ldap? -----Oorspronkelijk bericht----- Van: Fraser Tweedale [mailto:ftweedal at redhat.com] Verzonden: maandag 9 mei 2016 01:10 Aan: Hummelink, Wouter CC: freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] Duplicate serials in issued ipa certs On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummelink at kpn.com wrote: > Hello, > > I discovered today that our IPA CA has been issuing certs with > duplicate serials, causing issues in several ways when dealing with > hosts that have such a cert in place. (Complaints about duplicate serials) Removing the offending cert from the host results in de same type of error These all seem to have been issued from the server that in the past was reinstalled with the same hostname. > Can you please describe the history of the server in more detail? (i.e. what do you mean by "was reinstalled" - including whether it was a replica, etc). Also, which FreeIPA version(s) are you using? Thanks, Fraser > ipa host-show app > ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. > > IPA cert-find indeed shows 2 issued certs with the same serial > (several actually) > > (anonymized) > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=app.example.org,O=EXAMPLE.ORG > > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=ipa.example.org,O=EXAMPLE.ORG > > The ipa client won't let me revoke or otherwise kill these certs with the same error. > What to do? > > Met vriendelijke groet, > > Wouter Hummelink > Cloud Engineer > [Description: Beschrijving: Beschrijving: > cid:image003.gif at 01CC7CE9.FCFEC140] > KPN IT Solutions > Platform Organisation Cloud Services > Mail: wouter.hummelink at kpn.com > Telefoon: +31 (0)6 1288 2447 > [cid:image002.png at 01D0DA65.706AE4B0] > P Save Paper - Do you really need to print this e-mail? > ********************************************************************** > ********************************************************************** > ************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate > Market BV, Handelsregister 52959597 Amsterdam The information > transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of it, or the > taking of any action in reliance upon this information by persons > and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you. > ********************************************************************** > ********************************************************************** > ************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From pspacek at redhat.com Mon Jul 4 07:48:24 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 4 Jul 2016 09:48:24 +0200 Subject: [Freeipa-users] Kerberois FreeIPA Question In-Reply-To: <3361636.LggxkKZKMZ@techz> References: <3361636.LggxkKZKMZ@techz> Message-ID: On 3.7.2016 14:19, G?nther J. Niederwimmer wrote: > Hello, > > Is it possible to create a kerberos Ticket for a secondary domain ? > > CentOS 7.2 IPA 4.3.1 > My installing, > I have a IPAServer for > > Domain > test.com > > LDAP & Kerberos > TEST.COM > > now i like to include a other Domain > new.net > > Is it possible to have for this domain also a kerberos ticket ? > > I found a example in a krb5.conf like this > [domain_realm] > .test.com = TEST.COM > .new.net = TEST.COM > ... > > is this possible with FreeIPA ? One FreeIPA instance always represents one Kerberos REALM. At the same time multiple DNS domains can belong to one FreeIPA REALM. See command 'ipa realmdomains'. -- Petr^2 Spacek From lslebodn at redhat.com Mon Jul 4 08:24:04 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 4 Jul 2016 10:24:04 +0200 Subject: [Freeipa-users] Small bug in ipa-backup file naming In-Reply-To: <0f3bd0c8-8a8d-9261-c3d3-9f73cfed2657@redhat.com> References: <2679299.lx89Te7ZsQ@hosanna> <0f3bd0c8-8a8d-9261-c3d3-9f73cfed2657@redhat.com> Message-ID: <20160704082403.GB20368@10.4.128.1> On (04/07/16 09:01), Petr Spacek wrote: >On 2.7.2016 22:00, Joshua J. Kugler wrote: >> Was just playing around with the ipa-backup scripts for a client. Ran ipa- >> backup, and the backup was successfully placed in /var/lib/ipa/backup/ipa- >> full-2016-07-02-11-54-58. Went to view ipa-full.tar, and discovered it's >> actually a tar.gz file. This is FreeIPA 4.2.0 on CentOS 7. >> >> Is this known? Or should I open a bug? > >Please open a ticket: >https://fedorahosted.org/freeipa/newticket > and ideal would be if you could provide a patch. http://www.freeipa.org/page/Contribute LS From rmj at ast.cam.ac.uk Mon Jul 4 08:23:41 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Mon, 4 Jul 2016 09:23:41 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed Message-ID: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> Hi I installed my first master ipa server (server1) many months ago (Redhat 7.1 IIRC) and made a replica server2 without problems. Now I'd like to bring online another replica (server3). All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, but I get the following error when I run this on server1: server1> ipa-replica-prepare server3.example.com Directory Manager (existing master) password: Preparing replica for server3.example.com from server1.example.com Creating SSL certificate for the Directory Server Certificate issuance failed If I repeat this on server2, my fist replica, it succeeds. Running in debug mode on server1: server1> ipa-replica-prepare --debug server3.example.com gives a lot of output of which the following seems relevant (some info has been anonymised): Generating key. This may take a few moments... ipa: DEBUG: request POST https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient ipa: DEBUG: request body 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' ipa: DEBUG: NSSConnection init server1.example.com ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM" ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: response status 200 ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', 'content-length': '161', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} ipa: DEBUG: response body '1Server Internal Error 3' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 337, in run self.copy_ds_certificate() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 382, in copy_ds_certificate self.export_certdb("dscert", passwd_fname) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 589, in export_certdb db.create_server_cert(nickname, hostname, ca_db) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 337, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 418, in issue_server_cert raise RuntimeError("Certificate issuance failed") ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: RuntimeError: Certificate issuance failed ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Certificate issuance failed If its of relevance I did change the directory manager password on both server1 and server2 a couple of weeks ago. I'd appreciate some pointers to resolving this. Thanks Roderick Johnstone From peljasz at yahoo.co.uk Mon Jul 4 09:47:37 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 4 Jul 2016 10:47:37 +0100 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: References: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> Message-ID: <6c7d8615-5205-a187-59c3-0974739f343e@yahoo.co.uk> On 04/07/16 07:59, Petr Spacek wrote: > On 1.7.2016 16:29, lejeczek wrote: >> >> On 01/07/16 12:41, Petr Vobornik wrote: >>> On 06/30/2016 04:56 PM, lejeczek wrote: >>>> ... its own FQHN and its IP ? >>>> >>>> hi users, >>>> >>>> I'm fiddling with rewrites but being an amateur cannot figure it out, >>>> it's on a multi/home-IP box. Is it possible? >>>> >>>> many thanks, >>>> >>>> L. >>>> >>> Hi L. >>> >>> Could you describe your environment and use case in more details. It is >>> not clear to me what you are trying to achieve or what doesn't work for you. >>> >>> Thank you >> gee, I though my scenario would be quite common among users, >> take a box with more then one net ifs, or even multiple IPs - what would be >> nice to have is fIPA webui resides/runs only on that FQHN and that IP to which >> hostname resolves. Eg, here is one single system: >> box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) >> ipa.my.dom.local 10.10.1.2 >> currently I get fIPA's webui everywhere, but I'd like it to be only at >> ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) >> I think it would be great to have included (maybe as comments/options) this in >> Apache's configs of IPA furure releases, if possible. >> Is it possible to construct such rules? Or there is different, simpler way? > I'm still trying to understand your use-case. Why exactly you need to limit > the web UI to one 'host name' while keeping it on the same box? > I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where...." but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. thanks From mbabinsk at redhat.com Mon Jul 4 14:12:04 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 4 Jul 2016 16:12:04 +0200 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> Message-ID: <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: > Hi > > I installed my first master ipa server (server1) many months ago (Redhat > 7.1 IIRC) and made a replica server2 without problems. > > Now I'd like to bring online another replica (server3). > > All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, > but I get the following error when I run this on server1: > > server1> ipa-replica-prepare server3.example.com > > Directory Manager (existing master) password: > > Preparing replica for server3.example.com from server1.example.com > Creating SSL certificate for the Directory Server > Certificate issuance failed > > > If I repeat this on server2, my fist replica, it succeeds. > > Running in debug mode on server1: > server1> ipa-replica-prepare --debug server3.example.com > gives a lot of output of which the following seems relevant (some info > has been anonymised): > > Generating key. This may take a few moments... > > > ipa: DEBUG: request POST > https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient > ipa: DEBUG: request body > 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' > > ipa: DEBUG: NSSConnection init server1.example.com > ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 > ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server > ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM" > ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 > ipa: DEBUG: Protocol: TLS1.2 > ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > ipa: DEBUG: response status 200 > ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', > 'content-length': '161', 'content-type': 'application/xml', 'server': > 'Apache-Coyote/1.1'} > ipa: DEBUG: response body ' standalone="no"?>1Server Internal > Error 3' > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 337, in run > self.copy_ds_certificate() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 382, in copy_ds_certificate > self.export_certdb("dscert", passwd_fname) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 589, in export_certdb > db.create_server_cert(nickname, hostname, ca_db) > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > line 337, in create_server_cert > cdb.issue_server_cert(self.certreq_fname, self.certder_fname) > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > line 418, in issue_server_cert > raise RuntimeError("Certificate issuance failed") > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The > ipa-replica-prepare command failed, exception: RuntimeError: Certificate > issuance failed > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > Certificate issuance failed > > If its of relevance I did change the directory manager password on both > server1 and server2 a couple of weeks ago. > > I'd appreciate some pointers to resolving this. > > Thanks > > Roderick Johnstone > Hi Roderick, try to look in the logs of the pki-ca subsystem. They should be located in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and "debug" logs mainly. -- Martin^3 Babinsky From abokovoy at redhat.com Mon Jul 4 14:24:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 4 Jul 2016 17:24:13 +0300 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: <6c7d8615-5205-a187-59c3-0974739f343e@yahoo.co.uk> References: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> <6c7d8615-5205-a187-59c3-0974739f343e@yahoo.co.uk> Message-ID: <20160704142413.kyurvl3islteoqib@redhat.com> On Mon, 04 Jul 2016, lejeczek wrote: > > >On 04/07/16 07:59, Petr Spacek wrote: >>On 1.7.2016 16:29, lejeczek wrote: >>> >>>On 01/07/16 12:41, Petr Vobornik wrote: >>>>On 06/30/2016 04:56 PM, lejeczek wrote: >>>>>... its own FQHN and its IP ? >>>>> >>>>>hi users, >>>>> >>>>>I'm fiddling with rewrites but being an amateur cannot figure it out, >>>>>it's on a multi/home-IP box. Is it possible? >>>>> >>>>>many thanks, >>>>> >>>>>L. >>>>> >>>>Hi L. >>>> >>>>Could you describe your environment and use case in more details. It is >>>>not clear to me what you are trying to achieve or what doesn't work for you. >>>> >>>>Thank you >>>gee, I though my scenario would be quite common among users, >>>take a box with more then one net ifs, or even multiple IPs - what would be >>>nice to have is fIPA webui resides/runs only on that FQHN and that IP to which >>>hostname resolves. Eg, here is one single system: >>>box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) >>>ipa.my.dom.local 10.10.1.2 >>>currently I get fIPA's webui everywhere, but I'd like it to be only at >>>ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) >>>I think it would be great to have included (maybe as comments/options) this in >>>Apache's configs of IPA furure releases, if possible. >>>Is it possible to construct such rules? Or there is different, simpler way? >>I'm still trying to understand your use-case. Why exactly you need to limit >>the web UI to one 'host name' while keeping it on the same box? >> >I'm sorry I cannot explain this better, I my mind it's really simple, >if I installed an instance of IPA on a ipa.my.dom.local and the system >is a multi-homed/IP host I'd like webui to run only on that host/IP >This should not even be a matter of "image a situation where...." but >rather assume that IPA's are deployed on such installations and then - >why would fIPA have to monopolize all the IP's/IFs there are? >Me, I'd like to be able to use httpd under a root of host's other >FQHN/IPs with other things. Your IPA masters hold passwords and keys to your company's infrastructure. We recommend to avoid sharing the servers used for running IPA masters with any other applications because any compromise of those applications can and will be used for taking over your infrastructure as you have so nicely given the keys to its heart by co-sharing the same system. It is up to you on how you make up your system defense. We as FreeIPA upstream developers put considerate effort in ensuring our default setup is secure enough to avoid such breaches. If you want to co-locate other applications, you need to understand what you are doing and how that affects your security. Effectively, you are on your own on this path. -- / Alexander Bokovoy From christophe.trefois at uni.lu Mon Jul 4 15:54:28 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Mon, 4 Jul 2016 15:54:28 +0000 Subject: [Freeipa-users] Problem with properly removing replica master from cluster Message-ID: <3185B8E3-7AFF-46E2-8A50-B77A554A2D7A@uni.lu> Dear all, First of all, thanks to mbasti for helping out so far. We have a 3-node master cluster (?setup-ca) on 4.1 and setup a 4th using 4.2.0 as we want to migrate there. First, we had some orphan entries in ipa-replica-manage list. We removed those by manually removing the LDAP node + children in cn=etc,cn=ipa,cn=masters. Then, we saw that there is still an orphan entry here: ldapsearch -xLLL -D "cn=directory manager" -W -b dc=uni,dc=lu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))? In particular, there is one ghost entry for nsDS5ReplicaBindDN This is the details of ldapsearch -x -D 'cn=directory manager' -W -b 'cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat, csusers, config dn: cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers ,cn=config objectClass: top objectClass: person cn: Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat sn: manager userPassword:: **REMOVED** = # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 In addition, in slapd error log, i periodically (every 5 mins) see the following errors: [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. Could anybody help me to clean up the orphaned master replica (that is dead) and also tell if these attr_replace errors are related? Thank you for your help in this, Kind regards, ? Christophe From dev at mdfive.dz Mon Jul 4 22:07:04 2016 From: dev at mdfive.dz (Omar AKHAM) Date: Tue, 05 Jul 2016 00:07:04 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <577A12CB.8090702@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> <577A12CB.8090702@redhat.com> Message-ID: <67bb7309546804a75dc11521d59b211f@mdfive.dz> Ok, here is a new core file : http://pastebin.com/2cJQymHd Best regards On 2016-07-04 09:39, Ludwig Krispenz wrote: > On 07/03/2016 03:04 PM, Omar AKHAM wrote: >> Where can i find core file of ipa-server? > you still need to look for the core file of slapd, but IPA deploys > plugins for slapd and that is why you need the debuginfo for > ipa-server for a better analysis of the slapd core. >> >> On 2016-07-01 13:29, Ludwig Krispenz wrote: >>> please keep the discussion on the mailing list >>> On 07/01/2016 01:17 PM, Omar AKHAM wrote: >>>> Which package to install ? ipa-debuginfo? >>> yes >>>> >>>> 2 other crashes last night, with a different user bind this time : >>>> >>>> rawdn = 0x7f620003a200 >>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>> dn = 0x7f62000238b0 >>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>> saslmech = 0x0 >>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >>>> "nw_PA\250\063\065\067"} >>>> be = 0x7f6254941c20 >>>> ber_rc = >>>> rc = 0 >>>> sdn = 0x7f62000313f0 >>>> bind_sdn_in_pb = 1 >>>> referral = 0x0 >>>> errorbuf = '\000' ... >>>> supported = >>>> pmech = >>>> authtypebuf = >>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >>>> '\000' , "\002\000\000\000 >>>> \305\363Tb\177\000\000\377\377\37 >>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >>>> '\000' >>>> bind_target_entry = 0x0 >>>> >>>> >>>> >>>> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>>>> The crash is random, sometimes the user binds without probleme, >>>>>> sometimes it bind and there is the error message of ipa plugin >>>>>> without dirsrv crash. But when it crashes, this user's bind is >>>>>> found in the new generated core file! >>>>> ok, so the user might try or use different passwords. it could be >>>>> helpful if you can install the debuginfo for the ipa-server package >>>>> and get a new stack. Please post it to teh list, you can XXXXX the >>>>> credentials in the core, although I think they will not be proper >>>>> credentials. >>>>> >>>>> Ludwig >>>>>> >>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>>>> >>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Please find strace on a core file : >>>>>>>>> http://pastebin.com/v9cUzau4 >>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>>>> to get a better stack you would have to install also the >>>>>>>> debuginfo for ipa-server. >>>>>>> but tje stack matches the error messages you have seen >>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>>>>> argument] >>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>> encoding.c, >>>>>>> line 225]: key encryption/encoding failed >>>>>>> they are from the function sin the call stack. >>>>>>> >>>>>>> Looks like the user has a password with a \351 char: >>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 >>>>>>> "d\351sertification"} >>>>>>> >>>>>>> does the crash always happen with a bind from this user ? >>>>>>> >>>>>>>> and then someone familiar with this plugin should look into it >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> >>>>>>>>> >>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>>>> can you get a core file ? >>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>>>> installed on CentOS 7 VM : >>>>>>>>>>> >>>>>>>>>>> Installed Packages >>>>>>>>>>> Name : ipa-server >>>>>>>>>>> Arch : x86_64 >>>>>>>>>>> Version : 4.2.0 >>>>>>>>>>> >>>>>>>>>>> # ipactl status >>>>>>>>>>> Directory Service: STOPPED >>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Before each crash, I have these messages in >>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>>>> >>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - >>>>>>>>>>> [file encoding.c, line 171]: generating kerberos keys failed >>>>>>>>>>> [Invalid argument] >>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>>>> encoding.c, line 225]: key encryption/encoding failed >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Any help? >>>>>>>>>>> Best regards >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>>> Grasbrunn, >>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>>> Michael >>>>>>>>>> O'Neill, Eric Shander >>>>>>>> >>>>>>> >>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>> Grasbrunn, >>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>>> O'Neill, Eric Shander From bahanw042014 at gmail.com Tue Jul 5 07:40:21 2016 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 5 Jul 2016 09:40:21 +0200 Subject: [Freeipa-users] A question related the passwords in the ldap Message-ID: Hello ! I'm running ipa 3.0.0.47 and I have a question related to the password stored in the ldap. I was wondering if the users password were natively encrypted ? if yes, do you know by which mechanism ? Thank you in advance for your help. BR. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jul 5 08:51:06 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 05 Jul 2016 10:51:06 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <67bb7309546804a75dc11521d59b211f@mdfive.dz> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> <577A12CB.8090702@redhat.com> <67bb7309546804a75dc11521d59b211f@mdfive.dz> Message-ID: <577B74FA.2030307@redhat.com> well, this does not have more information: #0 0x00007efe7167c4c0 in ipapwd_keyset_free () from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so No symbol table info available. #1 0x00007efe7167c742 in ipapwd_encrypt_encode_key () from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so No symbol table info available. #2 0x00007efe7167c9c8 in ipapwd_gen_hashes () from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so No symbol table info available. #3 0x00007efe7167c0a7 in ipapwd_SetPassword () from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so No symbol table info available. #4 0x00007efe7167e458 in ipapwd_pre_bind () from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so No symbol table info available. and it looks like a bug in the ipapwd plugin, we would have to reproduce and work on a fix. I don't see any immediate relief unless you cannot prevent clients from using password containing arbitrar octets. Please open a ticket to get this worked on: https://fedorahosted.org/freeipa/newticket Ludwig On 07/05/2016 12:07 AM, Omar AKHAM wrote: > Ok, here is a new core file : http://pastebin.com/2cJQymHd > > Best regards > > On 2016-07-04 09:39, Ludwig Krispenz wrote: >> On 07/03/2016 03:04 PM, Omar AKHAM wrote: >>> Where can i find core file of ipa-server? >> you still need to look for the core file of slapd, but IPA deploys >> plugins for slapd and that is why you need the debuginfo for >> ipa-server for a better analysis of the slapd core. >>> >>> On 2016-07-01 13:29, Ludwig Krispenz wrote: >>>> please keep the discussion on the mailing list >>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote: >>>>> Which package to install ? ipa-debuginfo? >>>> yes >>>>> >>>>> 2 other crashes last night, with a different user bind this time : >>>>> >>>>> rawdn = 0x7f620003a200 >>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>> dn = 0x7f62000238b0 >>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>> saslmech = 0x0 >>>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >>>>> "nw_PA\250\063\065\067"} >>>>> be = 0x7f6254941c20 >>>>> ber_rc = >>>>> rc = 0 >>>>> sdn = 0x7f62000313f0 >>>>> bind_sdn_in_pb = 1 >>>>> referral = 0x0 >>>>> errorbuf = '\000' ... >>>>> supported = >>>>> pmech = >>>>> authtypebuf = >>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >>>>> '\000' , "\002\000\000\000 >>>>> \305\363Tb\177\000\000\377\377\37 >>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >>>>> '\000' >>>>> bind_target_entry = 0x0 >>>>> >>>>> >>>>> >>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>>>>> The crash is random, sometimes the user binds without probleme, >>>>>>> sometimes it bind and there is the error message of ipa plugin >>>>>>> without dirsrv crash. But when it crashes, this user's bind is >>>>>>> found in the new generated core file! >>>>>> ok, so the user might try or use different passwords. it could be >>>>>> helpful if you can install the debuginfo for the ipa-server package >>>>>> and get a new stack. Please post it to teh list, you can XXXXX the >>>>>> credentials in the core, although I think they will not be proper >>>>>> credentials. >>>>>> >>>>>> Ludwig >>>>>>> >>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>>>>> >>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Please find strace on a core file : http://pastebin.com/v9cUzau4 >>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>>>>> to get a better stack you would have to install also the >>>>>>>>> debuginfo for ipa-server. >>>>>>>> but tje stack matches the error messages you have seen >>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>>>>>> argument] >>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>> encoding.c, >>>>>>>> line 225]: key encryption/encoding failed >>>>>>>> they are from the function sin the call stack. >>>>>>>> >>>>>>>> Looks like the user has a password with a \351 char: >>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} >>>>>>>> >>>>>>>> does the crash always happen with a bind from this user ? >>>>>>>> >>>>>>>>> and then someone familiar with this plugin should look into it >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>>>>> can you get a core file ? >>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>>>>> installed on CentOS 7 VM : >>>>>>>>>>>> >>>>>>>>>>>> Installed Packages >>>>>>>>>>>> Name : ipa-server >>>>>>>>>>>> Arch : x86_64 >>>>>>>>>>>> Version : 4.2.0 >>>>>>>>>>>> >>>>>>>>>>>> # ipactl status >>>>>>>>>>>> Directory Service: STOPPED >>>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Before each crash, I have these messages in >>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>>>>> >>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key >>>>>>>>>>>> - [file encoding.c, line 171]: generating kerberos keys >>>>>>>>>>>> failed [Invalid argument] >>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>>>>> encoding.c, line 225]: key encryption/encoding failed >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Any help? >>>>>>>>>>>> Best regards >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>>>> Grasbrunn, >>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>>>> Michael >>>>>>>>>>> O'Neill, Eric Shander >>>>>>>>> >>>>>>>> >>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>> Grasbrunn, >>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>>>> O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From dev at mdfive.dz Tue Jul 5 10:08:51 2016 From: dev at mdfive.dz (Omar AKHAM) Date: Tue, 05 Jul 2016 12:08:51 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <577B74FA.2030307@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> <577A12CB.8090702@redhat.com> <67bb7309546804a75dc11521d59b211f@mdfive.dz> <577B74FA.2030307@redhat.com> Message-ID: OK thanks. Ticket URL : https://fedorahosted.org/freeipa/ticket/6030 On 2016-07-05 10:51, Ludwig Krispenz wrote: > well, this does not have more information: > #0 0x00007efe7167c4c0 in ipapwd_keyset_free () from > /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so > No symbol table info available. > #1 0x00007efe7167c742 in ipapwd_encrypt_encode_key () from > /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so > No symbol table info available. > #2 0x00007efe7167c9c8 in ipapwd_gen_hashes () from > /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so > No symbol table info available. > #3 0x00007efe7167c0a7 in ipapwd_SetPassword () from > /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so > No symbol table info available. > #4 0x00007efe7167e458 in ipapwd_pre_bind () from > /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so > No symbol table info available. > > and it looks like a bug in the ipapwd plugin, we would have to > reproduce and work on a fix. I don't see any immediate relief unless > you cannot prevent clients from using password containing arbitrar > octets. > Please open a ticket to get this worked on: > https://fedorahosted.org/freeipa/newticket > > Ludwig > > On 07/05/2016 12:07 AM, Omar AKHAM wrote: >> Ok, here is a new core file : http://pastebin.com/2cJQymHd >> >> Best regards >> >> On 2016-07-04 09:39, Ludwig Krispenz wrote: >>> On 07/03/2016 03:04 PM, Omar AKHAM wrote: >>>> Where can i find core file of ipa-server? >>> you still need to look for the core file of slapd, but IPA deploys >>> plugins for slapd and that is why you need the debuginfo for >>> ipa-server for a better analysis of the slapd core. >>>> >>>> On 2016-07-01 13:29, Ludwig Krispenz wrote: >>>>> please keep the discussion on the mailing list >>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote: >>>>>> Which package to install ? ipa-debuginfo? >>>>> yes >>>>>> >>>>>> 2 other crashes last night, with a different user bind this time : >>>>>> >>>>>> rawdn = 0x7f620003a200 >>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>>> dn = 0x7f62000238b0 >>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>>> saslmech = 0x0 >>>>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >>>>>> "nw_PA\250\063\065\067"} >>>>>> be = 0x7f6254941c20 >>>>>> ber_rc = >>>>>> rc = 0 >>>>>> sdn = 0x7f62000313f0 >>>>>> bind_sdn_in_pb = 1 >>>>>> referral = 0x0 >>>>>> errorbuf = '\000' ... >>>>>> supported = >>>>>> pmech = >>>>>> authtypebuf = >>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >>>>>> '\000' , "\002\000\000\000 >>>>>> \305\363Tb\177\000\000\377\377\37 >>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >>>>>> '\000' >>>>>> bind_target_entry = 0x0 >>>>>> >>>>>> >>>>>> >>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>>>>>> The crash is random, sometimes the user binds without probleme, >>>>>>>> sometimes it bind and there is the error message of ipa plugin >>>>>>>> without dirsrv crash. But when it crashes, this user's bind is >>>>>>>> found in the new generated core file! >>>>>>> ok, so the user might try or use different passwords. it could be >>>>>>> helpful if you can install the debuginfo for the ipa-server >>>>>>> package >>>>>>> and get a new stack. Please post it to teh list, you can XXXXX >>>>>>> the >>>>>>> credentials in the core, although I think they will not be proper >>>>>>> credentials. >>>>>>> >>>>>>> Ludwig >>>>>>>> >>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>>>>>> >>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Please find strace on a core file : >>>>>>>>>>> http://pastebin.com/v9cUzau4 >>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>>>>>> to get a better stack you would have to install also the >>>>>>>>>> debuginfo for ipa-server. >>>>>>>>> but tje stack matches the error messages you have seen >>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>>>>>>> argument] >>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>> encoding.c, >>>>>>>>> line 225]: key encryption/encoding failed >>>>>>>>> they are from the function sin the call stack. >>>>>>>>> >>>>>>>>> Looks like the user has a password with a \351 char: >>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 >>>>>>>>> "d\351sertification"} >>>>>>>>> >>>>>>>>> does the crash always happen with a bind from this user ? >>>>>>>>> >>>>>>>>>> and then someone familiar with this plugin should look into it >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>>>>>> can you get a core file ? >>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>>>>>> installed on CentOS 7 VM : >>>>>>>>>>>>> >>>>>>>>>>>>> Installed Packages >>>>>>>>>>>>> Name : ipa-server >>>>>>>>>>>>> Arch : x86_64 >>>>>>>>>>>>> Version : 4.2.0 >>>>>>>>>>>>> >>>>>>>>>>>>> # ipactl status >>>>>>>>>>>>> Directory Service: STOPPED >>>>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Before each crash, I have these messages in >>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>>>>>> >>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key >>>>>>>>>>>>> - [file encoding.c, line 171]: generating kerberos keys >>>>>>>>>>>>> failed [Invalid argument] >>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>>>>>> encoding.c, line 225]: key encryption/encoding failed >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Any help? >>>>>>>>>>>>> Best regards >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>>>>> Grasbrunn, >>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>>>>> Michael >>>>>>>>>>>> O'Neill, Eric Shander >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>> Grasbrunn, >>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>> Michael >>>>>>>>> O'Neill, Eric Shander From rmj at ast.cam.ac.uk Tue Jul 5 10:52:06 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Tue, 5 Jul 2016 11:52:06 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> Message-ID: <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> On 04/07/2016 15:12, Martin Babinsky wrote: > On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >> Hi >> >> I installed my first master ipa server (server1) many months ago (Redhat >> 7.1 IIRC) and made a replica server2 without problems. >> >> Now I'd like to bring online another replica (server3). >> >> All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, >> but I get the following error when I run this on server1: >> >> server1> ipa-replica-prepare server3.example.com >> >> Directory Manager (existing master) password: >> >> Preparing replica for server3.example.com from server1.example.com >> Creating SSL certificate for the Directory Server >> Certificate issuance failed >> >> >> If I repeat this on server2, my fist replica, it succeeds. >> >> Running in debug mode on server1: >> server1> ipa-replica-prepare --debug server3.example.com >> gives a lot of output of which the following seems relevant (some info >> has been anonymised): >> >> Generating key. This may take a few moments... >> >> >> ipa: DEBUG: request POST >> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >> ipa: DEBUG: request body >> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >> >> >> ipa: DEBUG: NSSConnection init server1.example.com >> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >> ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM" >> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >> ipa: DEBUG: Protocol: TLS1.2 >> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> ipa: DEBUG: response status 200 >> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', >> 'content-length': '161', 'content-type': 'application/xml', 'server': >> 'Apache-Coyote/1.1'} >> ipa: DEBUG: response body '> standalone="no"?>1Server Internal >> Error 3' >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >> >> line 337, in run >> self.copy_ds_certificate() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >> >> line 382, in copy_ds_certificate >> self.export_certdb("dscert", passwd_fname) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >> >> line 589, in export_certdb >> db.create_server_cert(nickname, hostname, ca_db) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 337, in create_server_cert >> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 418, in issue_server_cert >> raise RuntimeError("Certificate issuance failed") >> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The >> ipa-replica-prepare command failed, exception: RuntimeError: Certificate >> issuance failed >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >> Certificate issuance failed >> >> If its of relevance I did change the directory manager password on both >> server1 and server2 a couple of weeks ago. >> >> I'd appreciate some pointers to resolving this. >> >> Thanks >> >> Roderick Johnstone >> > Hi Roderick, > > try to look in the logs of the pki-ca subsystem. They should be located > in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and > "debug" logs mainly. > Martin Thanks for the pointers. We had looked at a lot of log files, but not those ones! We were running the ipa-replica-prepare during the afternoon of 1 July. Here are the last few entries in the system log file. 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap (bound) connection pool to host server1.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the internaldb. Error LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPException: error result (1) 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not store certificate serial number 0x1 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not store certificate serial number 0x2 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not store certificate serial number 0x3 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not store certificate serial number 0x1 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not store certificate serial number 0x2 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not store certificate serial number 0x3 At corresponding times, in the debug logs there are entries like: [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, o=ipaca netscape.ldap.LDAPException: error result (68) [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, o=ipaca netscape.ldap.LDAPException: error result (68) [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server Internal Error] certificate request processed And then in the dirsrv error file there seems to be one of these for each of the attempts to run ipa-replica-prepare: [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not allowed [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not allowed [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData" not allowed Do you think this is looking like the root cause? Can you suggest how we fix that? Thanks. Roderick From frenaud at redhat.com Tue Jul 5 12:30:15 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Tue, 5 Jul 2016 14:30:15 +0200 Subject: [Freeipa-users] A question related the passwords in the ldap In-Reply-To: References: Message-ID: <1a977f95-31ff-efc4-dc50-af6f926c269a@redhat.com> Hi Bahan, the user passwords stored in LDAP follow the password policy configured in the LDAP server, which defines password syntax requirements as well as the password encryption algorithm. You can find more information in RedHat Directory Server Administration Guide, in the section Managing the Password Policy: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy By default, the password storage scheme is SSHA. This means that when a user entry is created with a password, the directory server encrypts the password using SSHA before actually storing it in the user entry. I hope this answers your question, Flo. On 07/05/2016 09:40 AM, bahan w wrote: > Hello ! > > I'm running ipa 3.0.0.47 and I have a question related to the password > stored in the ldap. > > I was wondering if the users password were natively encrypted ? > if yes, do you know by which mechanism ? > > Thank you in advance for your help. > > BR. > > Bahan > > From simecek.tomas at gmail.com Mon Jul 4 07:50:04 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Mon, 4 Jul 2016 09:50:04 +0200 Subject: [Freeipa-users] Freeipa and sudo Message-ID: Dear freeipa users/admins, I'm trying to implement freeipa in our company, so that our Unix admins can authenticate on Linux servers using their Windows AD account. Following this guide https://www.freeipa.org/page/Active_Directory_trust_setup it seems to work well, they can login without problems. What I cannot make working is sudo from their AD accounts on Linux. No matter what I try, it is still: sudo systemctl restart httpd [sudo] password for simecek.tomas at sd-stc.cz: Sorry, try again. Here's our setup: Freeipa server: CentOS Linux release 7.2.1511 (Core), ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 Freeipa client: the same AD domain name: sd-stc.cz IPA domain: linuxdomain.cz When digging in logs and googling, I realized that the problem on client side could be: [root at spcss-2t-www ~]# kinit -k kinit: Cannot determine realm for host (principal host/spcss-2t-www@) But this seems to work: [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ Password for simecek.tomas at SD-STC.CZ: [root at spcss-2t-www ~]# klist Default principal: simecek.tomas at SD-STC.CZ Valid starting Expires Service principal 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ renew until 07/05/2016 09:36:23 My /etc/sssd/sssd.conf: [domain/linuxdomain.cz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linuxdomain.cz krb5_realm = LINUXDOMAIN.CZ id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spcss-2t-www.linuxdomain.cz chpass_provider = ipa ipa_server = svlxxipap.linuxdomain.cz ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ldap ldap_uri = ldap://svlxxipap.linuxdomain.cz ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ ldap_sasl_realm = LINUXDOMAIN.CZ krb5_server = svlxxipap.linuxdomain.cz [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linuxdomain.cz [nss] homedir_substring = /home .... My /etc/krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = LINUXDOMAIN.CZ dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] LINUXDOMAIN.CZ = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .linuxdomain.cz = LINUXDOMAIN.CZ linuxdomain.cz = LINUXDOMAIN.CZ Would you please suggest which way to investigate? Thanks Tomas Simecek -------------- next part -------------- An HTML attachment was scrubbed... URL: From ladner.danila at gmail.com Tue Jul 5 13:58:29 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Tue, 5 Jul 2016 09:58:29 -0400 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: What about /etc/nsswitch.conf? Does it have "sudo: files sss"? On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek wrote: > Dear freeipa users/admins, > I'm trying to implement freeipa in our company, so that our Unix admins > can authenticate on Linux servers using their Windows AD account. > Following this guide > https://www.freeipa.org/page/Active_Directory_trust_setup it seems to > work well, they can login without problems. > What I cannot make working is sudo from their AD accounts on Linux. > > No matter what I try, it is still: > > sudo systemctl restart httpd > [sudo] password for simecek.tomas at sd-stc.cz: > Sorry, try again. > > Here's our setup: > Freeipa server: CentOS Linux release 7.2.1511 (Core), > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > Freeipa client: the same > > AD domain name: sd-stc.cz > IPA domain: linuxdomain.cz > > When digging in logs and googling, I realized that the problem on client > side could be: > > [root at spcss-2t-www ~]# kinit -k > kinit: Cannot determine realm for host (principal host/spcss-2t-www@) > > But this seems to work: > [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ > Password for simecek.tomas at SD-STC.CZ: > [root at spcss-2t-www ~]# klist > Default principal: simecek.tomas at SD-STC.CZ > > Valid starting Expires Service principal > 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ > renew until 07/05/2016 09:36:23 > > My /etc/sssd/sssd.conf: > [domain/linuxdomain.cz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linuxdomain.cz > krb5_realm = LINUXDOMAIN.CZ > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = spcss-2t-www.linuxdomain.cz > chpass_provider = ipa > ipa_server = svlxxipap.linuxdomain.cz > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://svlxxipap.linuxdomain.cz > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ > ldap_sasl_realm = LINUXDOMAIN.CZ > krb5_server = svlxxipap.linuxdomain.cz > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = linuxdomain.cz > [nss] > homedir_substring = /home > .... > > My /etc/krb5.conf: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = LINUXDOMAIN.CZ > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > > [realms] > LINUXDOMAIN.CZ = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > > [domain_realm] > .linuxdomain.cz = LINUXDOMAIN.CZ > linuxdomain.cz = LINUXDOMAIN.CZ > > Would you please suggest which way to investigate? > > Thanks > > Tomas Simecek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jul 5 14:52:23 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 05 Jul 2016 16:52:23 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> <577A12CB.8090702@redhat.com> <67bb7309546804a75dc11521d59b211f@mdfive.dz> <577B74FA.2030307@redhat.com> Message-ID: <577BC9A7.6020909@redhat.com> On 07/05/2016 12:08 PM, Omar AKHAM wrote: > OK thanks. Ticket URL : https://fedorahosted.org/freeipa/ticket/6030 thanks, I tried to reproduce and failed so far, could you add some information to the ticket on - how the entry was created - a full entry which was seen to crash the server, you don't need to reveal any real data, jsur which objectclasses and attributes the entry has > > On 2016-07-05 10:51, Ludwig Krispenz wrote: >> well, this does not have more information: >> #0 0x00007efe7167c4c0 in ipapwd_keyset_free () from >> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >> No symbol table info available. >> #1 0x00007efe7167c742 in ipapwd_encrypt_encode_key () from >> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >> No symbol table info available. >> #2 0x00007efe7167c9c8 in ipapwd_gen_hashes () from >> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >> No symbol table info available. >> #3 0x00007efe7167c0a7 in ipapwd_SetPassword () from >> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >> No symbol table info available. >> #4 0x00007efe7167e458 in ipapwd_pre_bind () from >> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >> No symbol table info available. >> >> and it looks like a bug in the ipapwd plugin, we would have to >> reproduce and work on a fix. I don't see any immediate relief unless >> you cannot prevent clients from using password containing arbitrar >> octets. >> Please open a ticket to get this worked on: >> https://fedorahosted.org/freeipa/newticket >> >> Ludwig >> >> On 07/05/2016 12:07 AM, Omar AKHAM wrote: >>> Ok, here is a new core file : http://pastebin.com/2cJQymHd >>> >>> Best regards >>> >>> On 2016-07-04 09:39, Ludwig Krispenz wrote: >>>> On 07/03/2016 03:04 PM, Omar AKHAM wrote: >>>>> Where can i find core file of ipa-server? >>>> you still need to look for the core file of slapd, but IPA deploys >>>> plugins for slapd and that is why you need the debuginfo for >>>> ipa-server for a better analysis of the slapd core. >>>>> >>>>> On 2016-07-01 13:29, Ludwig Krispenz wrote: >>>>>> please keep the discussion on the mailing list >>>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote: >>>>>>> Which package to install ? ipa-debuginfo? >>>>>> yes >>>>>>> >>>>>>> 2 other crashes last night, with a different user bind this time : >>>>>>> >>>>>>> rawdn = 0x7f620003a200 >>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>>>> dn = 0x7f62000238b0 >>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>>>> saslmech = 0x0 >>>>>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >>>>>>> "nw_PA\250\063\065\067"} >>>>>>> be = 0x7f6254941c20 >>>>>>> ber_rc = >>>>>>> rc = 0 >>>>>>> sdn = 0x7f62000313f0 >>>>>>> bind_sdn_in_pb = 1 >>>>>>> referral = 0x0 >>>>>>> errorbuf = '\000' ... >>>>>>> supported = >>>>>>> pmech = >>>>>>> authtypebuf = >>>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >>>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >>>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >>>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >>>>>>> '\000' , "\002\000\000\000 >>>>>>> \305\363Tb\177\000\000\377\377\37 >>>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >>>>>>> '\000' >>>>>>> bind_target_entry = 0x0 >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>>>>>>> The crash is random, sometimes the user binds without >>>>>>>>> probleme, sometimes it bind and there is the error message of >>>>>>>>> ipa plugin without dirsrv crash. But when it crashes, this >>>>>>>>> user's bind is found in the new generated core file! >>>>>>>> ok, so the user might try or use different passwords. it could be >>>>>>>> helpful if you can install the debuginfo for the ipa-server >>>>>>>> package >>>>>>>> and get a new stack. Please post it to teh list, you can XXXXX the >>>>>>>> credentials in the core, although I think they will not be proper >>>>>>>> credentials. >>>>>>>> >>>>>>>> Ludwig >>>>>>>>> >>>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>>>>>>> >>>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Please find strace on a core file : >>>>>>>>>>>> http://pastebin.com/v9cUzau4 >>>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>>>>>>> to get a better stack you would have to install also the >>>>>>>>>>> debuginfo for ipa-server. >>>>>>>>>> but tje stack matches the error messages you have seen >>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>>>>>>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>>>>>>>> argument] >>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>>> encoding.c, >>>>>>>>>> line 225]: key encryption/encoding failed >>>>>>>>>> they are from the function sin the call stack. >>>>>>>>>> >>>>>>>>>> Looks like the user has a password with a \351 char: >>>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 >>>>>>>>>> "d\351sertification"} >>>>>>>>>> >>>>>>>>>> does the crash always happen with a bind from this user ? >>>>>>>>>> >>>>>>>>>>> and then someone familiar with this plugin should look into it >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>>>>>>> can you get a core file ? >>>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>>>>>>> installed on CentOS 7 VM : >>>>>>>>>>>>>> >>>>>>>>>>>>>> Installed Packages >>>>>>>>>>>>>> Name : ipa-server >>>>>>>>>>>>>> Arch : x86_64 >>>>>>>>>>>>>> Version : 4.2.0 >>>>>>>>>>>>>> >>>>>>>>>>>>>> # ipactl status >>>>>>>>>>>>>> Directory Service: STOPPED >>>>>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Before each crash, I have these messages in >>>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>>>>>>> >>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] >>>>>>>>>>>>>> ipapwd_encrypt_encode_key - [file encoding.c, line 171]: >>>>>>>>>>>>>> generating kerberos keys failed [Invalid argument] >>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - >>>>>>>>>>>>>> [file encoding.c, line 225]: key encryption/encoding failed >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Any help? >>>>>>>>>>>>>> Best regards >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered >>>>>>>>>>>>> seat: Grasbrunn, >>>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>>>>>> Michael >>>>>>>>>>>>> O'Neill, Eric Shander >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>>> Grasbrunn, >>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>>>>>>>>> O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From jhrozek at redhat.com Tue Jul 5 16:06:59 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 5 Jul 2016 18:06:59 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: <20160705160659.GG24232@hendrix> On Tue, Jul 05, 2016 at 09:58:29AM -0400, Danila Ladner wrote: > What about /etc/nsswitch.conf? > Does it have "sudo: files sss"? In general this upstream guide: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO can help you pinpoint where the issue is. From nharrington at i-neda.com Tue Jul 5 16:12:55 2016 From: nharrington at i-neda.com (Neal Harrington | i-Neda Ltd) Date: Tue, 5 Jul 2016 16:12:55 +0000 Subject: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Message-ID: Hi, I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc and overall I'm very happy. I have however managed to trip myself up by installing the Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys are not trusted and ssh login falls back to password based on the Ubuntu clients. If I uninstall a client, reboot and then reinstall without the --ssh-trust-dns option then the users ssh key I imported into the web interface is used and login is automatic over ssh. I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and can't see anything to control this. Most of my online searches cover other aspects of ssh host keys in DNS. If I've missed anything obvious then please point me in the right direction. I have a reasonable number of servers to make this change on and ideally I'd like to push out the change to a config file and maybe restart a service. Is this behaviour easy to configure or would it be easier to go through the uninstall/reboot/reinstall loop? Luckily these are all testing servers so not a show stopper but I'd prefer to learn what is actually controlling this. Thanks, Neal. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 5 17:01:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 5 Jul 2016 13:01:49 -0400 Subject: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query In-Reply-To: References: Message-ID: <577BE7FD.1070705@redhat.com> Neal Harrington | i-Neda Ltd wrote: > Hi, > > > I have successfully installed FreeIPA server version 4.2.0 on CentOS > 7.2, including replication between servers. I have a few > dozen Ubuntu 14.04 servers joined into IPA for authentication with > various user groups controlling access, sudo permissions etc and overall > I'm very happy. > > > I have however managed to trip myself up by installing the > Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys > are not trusted and ssh login falls back to password based on the Ubuntu > clients. > > > If I uninstall a client, reboot and then reinstall without the > --ssh-trust-dns option then the users ssh key I imported into the web > interface is used and login is automatic over ssh. > > > I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and > can't see anything to control this. Most of my online searches cover > other aspects of ssh host keys in DNS. If I've missed anything obvious > then please point me in the right direction. > > > I have a reasonable number of servers to make this change on and ideally > I'd like to push out the change to a config file and maybe restart a > service. Is this behaviour easy to configure or would it be easier to go > through the uninstall/reboot/reinstall loop? Luckily these are all > testing servers so not a show stopper but I'd prefer to learn what is > actually controlling this. As far as I can tell this option sets this in sshd.conf: VerifyHostKeyDNS = yes HostKeyAlgorithms = ssh-rsa,ssh-dss I assume your DNS doesn't contain the SSHFP entries? rob From traiano at gmail.com Tue Jul 5 17:16:13 2016 From: traiano at gmail.com (Traiano Welcome) Date: Tue, 5 Jul 2016 20:16:13 +0300 Subject: [Freeipa-users] Error when adding new users via UI: In-Reply-To: References: <57446030.60801@redhat.com> Message-ID: Finally got around to fixing this: On Tue, May 24, 2016 at 5:15 PM, Martin Kosek wrote: > On 05/24/2016 04:07 PM, Rob Crittenden wrote: >> Traiano Welcome wrote: >>> Hi >>> >>> I have IPA server 4,2 running on centos 7 >>> (ipa-server-4.2.0-15.el7.centos.3.x86_64). >>> >>> This morning, after many months of stable operation, I tried to add a >>> user and got this error via the web interface: >>> >>> --- >>> Operations error: Allocation of a new value for range cn=posix >>> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config >>> failed! Unable to proceed. >>> --- >>> >>> So basically, can't add any new users. >>> >>> Would anyone know how I can troubleshoot this kind of IPA error, or >>> possibly have come across and resolved it before ? >> >> At install a range of 100k id's is allocated to IPA. With each new master this >> range is divided in half. It appears you've exhausted one of the masters. >> >> What you need to do is take an inventory of what ranges (if any) are allocated >> to various masters then you should be able to move things around (this is >> assuming of course that you haven't exhausted the entire range). >> >> ipa-replica-manage list will give you a list of the IPA masters. >> >> ipa-replica-manage dnarange-show and ipa-replica-manage >> dnanextrange-show will help discover what is available. >> >> If you have things in nextrange then I'd start there with reallocation. Setting >> a next range of 0-0 removes the next range (e.g. make it available for a >> primary range). >> >> Take care when actually re-assigning ranges. >> This kind of mental gymnastics will probably land you in a lot of trouble :-) >> rob >> > > For the record, what currently did not work is when user is being added on a > master that does not have direct replication connect to other master with > available range. > > This is improved from FreeIPA 4.3.1+: yum update to the most recent patch levels in the 4.2 series seems to fix this. > https://fedorahosted.org/freeipa/ticket/4026 > > Martin From rcritten at redhat.com Tue Jul 5 17:20:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 5 Jul 2016 13:20:51 -0400 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: <20160704142413.kyurvl3islteoqib@redhat.com> References: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> <6c7d8615-5205-a187-59c3-0974739f343e@yahoo.co.uk> <20160704142413.kyurvl3islteoqib@redhat.com> Message-ID: <577BEC73.6070508@redhat.com> Alexander Bokovoy wrote: > On Mon, 04 Jul 2016, lejeczek wrote: >> >> >> On 04/07/16 07:59, Petr Spacek wrote: >>> On 1.7.2016 16:29, lejeczek wrote: >>>> >>>> On 01/07/16 12:41, Petr Vobornik wrote: >>>>> On 06/30/2016 04:56 PM, lejeczek wrote: >>>>>> ... its own FQHN and its IP ? >>>>>> >>>>>> hi users, >>>>>> >>>>>> I'm fiddling with rewrites but being an amateur cannot figure it out, >>>>>> it's on a multi/home-IP box. Is it possible? >>>>>> >>>>>> many thanks, >>>>>> >>>>>> L. >>>>>> >>>>> Hi L. >>>>> >>>>> Could you describe your environment and use case in more details. >>>>> It is >>>>> not clear to me what you are trying to achieve or what doesn't work >>>>> for you. >>>>> >>>>> Thank you >>>> gee, I though my scenario would be quite common among users, >>>> take a box with more then one net ifs, or even multiple IPs - what >>>> would be >>>> nice to have is fIPA webui resides/runs only on that FQHN and that >>>> IP to which >>>> hostname resolves. Eg, here is one single system: >>>> box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) >>>> ipa.my.dom.local 10.10.1.2 >>>> currently I get fIPA's webui everywhere, but I'd like it to be only at >>>> ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) >>>> I think it would be great to have included (maybe as >>>> comments/options) this in >>>> Apache's configs of IPA furure releases, if possible. >>>> Is it possible to construct such rules? Or there is different, >>>> simpler way? >>> I'm still trying to understand your use-case. Why exactly you need to >>> limit >>> the web UI to one 'host name' while keeping it on the same box? >>> >> I'm sorry I cannot explain this better, I my mind it's really simple, >> if I installed an instance of IPA on a ipa.my.dom.local and the system >> is a multi-homed/IP host I'd like webui to run only on that host/IP >> This should not even be a matter of "image a situation where...." but >> rather assume that IPA's are deployed on such installations and then - >> why would fIPA have to monopolize all the IP's/IFs there are? >> Me, I'd like to be able to use httpd under a root of host's other >> FQHN/IPs with other things. > Your IPA masters hold passwords and keys to your company's > infrastructure. We recommend to avoid sharing the servers used for > running IPA masters with any other applications because any compromise > of those applications can and will be used for taking over your > infrastructure as you have so nicely given the keys to its heart by > co-sharing the same system. > > It is up to you on how you make up your system defense. We as FreeIPA > upstream developers put considerate effort in ensuring our default setup > is secure enough to avoid such breaches. If you want to co-locate other > applications, you need to understand what you are doing and how that > affects your security. Effectively, you are on your own on this path. > FTR, I think this is mostly controlled in ipa-rewrite.conf. If the requested host is not the IPA host or the port is not 443 or the request is for / then ALL requests are redirected to the https://IPAHOST/ipa/ui This file should have enough comments to figure out what part is doing what if you wanted to tweak it. I have to agree with Alexander though. Running multiple services on what should be the core of your infrastructure isn't recommended. rob From joshua at azariah.com Tue Jul 5 17:44:04 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Tue, 05 Jul 2016 09:44:04 -0800 Subject: [Freeipa-users] Small bug in ipa-backup file naming In-Reply-To: <0f3bd0c8-8a8d-9261-c3d3-9f73cfed2657@redhat.com> References: <2679299.lx89Te7ZsQ@hosanna> <0f3bd0c8-8a8d-9261-c3d3-9f73cfed2657@redhat.com> Message-ID: <2097398.WLU8v9G8mS@hosanna> On Monday, July 04, 2016 09:01:29 Petr Spacek wrote: > On 2.7.2016 22:00, Joshua J. Kugler wrote: > > Was just playing around with the ipa-backup scripts for a client. Ran ipa- > > backup, and the backup was successfully placed in /var/lib/ipa/backup/ipa- > > full-2016-07-02-11-54-58. Went to view ipa-full.tar, and discovered it's > > actually a tar.gz file. This is FreeIPA 4.2.0 on CentOS 7. > > > > Is this known? Or should I open a bug? > > Please open a ticket: > https://fedorahosted.org/freeipa/newticket > > Thank you! Done, thanks! https://fedorahosted.org/freeipa/ticket/6031 j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From dev at mdfive.dz Tue Jul 5 17:48:59 2016 From: dev at mdfive.dz (Omar AKHAM) Date: Tue, 05 Jul 2016 19:48:59 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <577BC9A7.6020909@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> <57751597.4090303@redhat.com> <64cdd56c4f5c25b2586c40d5c884be07@mdfive.dz> <577545D9.5000909@redhat.com> <3c4f95d9da9092087b526dc3ce6af8ee@mdfive.dz> <577653FF.1070204@redhat.com> <577A12CB.8090702@redhat.com> <67bb7309546804a75dc11521d59b211f@mdfive.dz> <577B74FA.2030307@redhat.com> <577BC9A7.6020909@redhat.com> Message-ID: <7be475bc1fe3c6b7b1271e8d2a7105b0@mdfive.dz> Users were migrated from MDS (Mandriva Directory Server) with freeipa migration mode (ipa migrate-ds) You can take a look to attached screenshot for objectclasses & attributes On 2016-07-05 16:52, Ludwig Krispenz wrote: > On 07/05/2016 12:08 PM, Omar AKHAM wrote: >> OK thanks. Ticket URL : https://fedorahosted.org/freeipa/ticket/6030 > thanks, I tried to reproduce and failed so far, could you add some > information to the ticket on > - how the entry was created > - a full entry which was seen to crash the server, you don't need to > reveal any real data, jsur which objectclasses and attributes the > entry has >> >> On 2016-07-05 10:51, Ludwig Krispenz wrote: >>> well, this does not have more information: >>> #0 0x00007efe7167c4c0 in ipapwd_keyset_free () from >>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >>> No symbol table info available. >>> #1 0x00007efe7167c742 in ipapwd_encrypt_encode_key () from >>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >>> No symbol table info available. >>> #2 0x00007efe7167c9c8 in ipapwd_gen_hashes () from >>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >>> No symbol table info available. >>> #3 0x00007efe7167c0a7 in ipapwd_SetPassword () from >>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >>> No symbol table info available. >>> #4 0x00007efe7167e458 in ipapwd_pre_bind () from >>> /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so >>> No symbol table info available. >>> >>> and it looks like a bug in the ipapwd plugin, we would have to >>> reproduce and work on a fix. I don't see any immediate relief unless >>> you cannot prevent clients from using password containing arbitrar >>> octets. >>> Please open a ticket to get this worked on: >>> https://fedorahosted.org/freeipa/newticket >>> >>> Ludwig >>> >>> On 07/05/2016 12:07 AM, Omar AKHAM wrote: >>>> Ok, here is a new core file : http://pastebin.com/2cJQymHd >>>> >>>> Best regards >>>> >>>> On 2016-07-04 09:39, Ludwig Krispenz wrote: >>>>> On 07/03/2016 03:04 PM, Omar AKHAM wrote: >>>>>> Where can i find core file of ipa-server? >>>>> you still need to look for the core file of slapd, but IPA deploys >>>>> plugins for slapd and that is why you need the debuginfo for >>>>> ipa-server for a better analysis of the slapd core. >>>>>> >>>>>> On 2016-07-01 13:29, Ludwig Krispenz wrote: >>>>>>> please keep the discussion on the mailing list >>>>>>> On 07/01/2016 01:17 PM, Omar AKHAM wrote: >>>>>>>> Which package to install ? ipa-debuginfo? >>>>>>> yes >>>>>>>> >>>>>>>> 2 other crashes last night, with a different user bind this time >>>>>>>> : >>>>>>>> >>>>>>>> rawdn = 0x7f620003a200 >>>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>>>>> dn = 0x7f62000238b0 >>>>>>>> "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" >>>>>>>> saslmech = 0x0 >>>>>>>> cred = {bv_len = 9, bv_val = 0x7f6200034af0 >>>>>>>> "nw_PA\250\063\065\067"} >>>>>>>> be = 0x7f6254941c20 >>>>>>>> ber_rc = >>>>>>>> rc = 0 >>>>>>>> sdn = 0x7f62000313f0 >>>>>>>> bind_sdn_in_pb = 1 >>>>>>>> referral = 0x0 >>>>>>>> errorbuf = '\000' ... >>>>>>>> supported = >>>>>>>> pmech = >>>>>>>> authtypebuf = >>>>>>>> "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 >>>>>>>> \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ >>>>>>>> 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 >>>>>>>> 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", >>>>>>>> '\000' , "\002\000\000\000 >>>>>>>> \305\363Tb\177\000\000\377\377\37 >>>>>>>> 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", >>>>>>>> '\000' >>>>>>>> bind_target_entry = 0x0 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 2016-06-30 18:16, Ludwig Krispenz wrote: >>>>>>>>> On 06/30/2016 05:54 PM, dev at mdfive.dz wrote: >>>>>>>>>> The crash is random, sometimes the user binds without >>>>>>>>>> probleme, sometimes it bind and there is the error message of >>>>>>>>>> ipa plugin without dirsrv crash. But when it crashes, this >>>>>>>>>> user's bind is found in the new generated core file! >>>>>>>>> ok, so the user might try or use different passwords. it could >>>>>>>>> be >>>>>>>>> helpful if you can install the debuginfo for the ipa-server >>>>>>>>> package >>>>>>>>> and get a new stack. Please post it to teh list, you can XXXXX >>>>>>>>> the >>>>>>>>> credentials in the core, although I think they will not be >>>>>>>>> proper >>>>>>>>> credentials. >>>>>>>>> >>>>>>>>> Ludwig >>>>>>>>>> >>>>>>>>>> On 2016-06-30 14:50, Ludwig Krispenz wrote: >>>>>>>>>>> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: >>>>>>>>>>>> >>>>>>>>>>>> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> Please find strace on a core file : >>>>>>>>>>>>> http://pastebin.com/v9cUzau4 >>>>>>>>>>>> the crash is in an IPA plugin, ipa_pwd_extop, >>>>>>>>>>>> to get a better stack you would have to install also the >>>>>>>>>>>> debuginfo for ipa-server. >>>>>>>>>>> but tje stack matches the error messages you have seen >>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - >>>>>>>>>>> [file >>>>>>>>>>> encoding.c, line 171]: generating kerberos keys failed >>>>>>>>>>> [Invalid >>>>>>>>>>> argument] >>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>>>>>>>>> encoding.c, >>>>>>>>>>> line 225]: key encryption/encoding failed >>>>>>>>>>> they are from the function sin the call stack. >>>>>>>>>>> >>>>>>>>>>> Looks like the user has a password with a \351 char: >>>>>>>>>>> cred = {bv_len = 15, bv_val = 0x7fc7880013a0 >>>>>>>>>>> "d\351sertification"} >>>>>>>>>>> >>>>>>>>>>> does the crash always happen with a bind from this user ? >>>>>>>>>>> >>>>>>>>>>>> and then someone familiar with this plugin should look into >>>>>>>>>>>> it >>>>>>>>>>>>> >>>>>>>>>>>>> Regards >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>>>>>>>>>>>>> can you get a core file ? >>>>>>>>>>>>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The Directory Services crashes several times a day. It's >>>>>>>>>>>>>>> installed on CentOS 7 VM : >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Installed Packages >>>>>>>>>>>>>>> Name : ipa-server >>>>>>>>>>>>>>> Arch : x86_64 >>>>>>>>>>>>>>> Version : 4.2.0 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> # ipactl status >>>>>>>>>>>>>>> Directory Service: STOPPED >>>>>>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Before each crash, I have these messages in >>>>>>>>>>>>>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] >>>>>>>>>>>>>>> ipapwd_encrypt_encode_key - [file encoding.c, line 171]: >>>>>>>>>>>>>>> generating kerberos keys failed [Invalid argument] >>>>>>>>>>>>>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - >>>>>>>>>>>>>>> [file encoding.c, line 225]: key encryption/encoding >>>>>>>>>>>>>>> failed >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Any help? >>>>>>>>>>>>>>> Best regards >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered >>>>>>>>>>>>>> seat: Grasbrunn, >>>>>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>>>>>>> Michael >>>>>>>>>>>>>> O'Neill, Eric Shander >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: >>>>>>>>>>> Grasbrunn, >>>>>>>>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>>>>>>>> Managing Directors: Charles Cachera, Michael Cunningham, >>>>>>>>>>> Michael >>>>>>>>>>> O'Neill, Eric Shander -------------- next part -------------- A non-text attachment was scrubbed... Name: JXplorer - cder_007.png Type: image/png Size: 146955 bytes Desc: not available URL: From datakid at gmail.com Wed Jul 6 06:32:02 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 6 Jul 2016 16:32:02 +1000 Subject: [Freeipa-users] AD PDC change Message-ID: Can I just confirm - the IT team are about to migrate our PDC across town. I presume that the trust relationship is with the domain, not the actual machine itself. So our IPA server will just see the new PDC and everything will be smooth? No need to change any config or create a new trust? Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jul 6 08:14:45 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 6 Jul 2016 11:14:45 +0300 Subject: [Freeipa-users] AD PDC change In-Reply-To: References: Message-ID: <20160706081445.pj7ghl64cs52l7zw@redhat.com> On Wed, 06 Jul 2016, Lachlan Musicman wrote: >Can I just confirm - the IT team are about to migrate our PDC across town. > >I presume that the trust relationship is with the domain, not the actual >machine itself. So our IPA server will just see the new PDC and everything >will be smooth? > >No need to change any config or create a new trust? Correct. The information about trust relationship is stored in AD LDAP and as such replicated across all domain controllers. There might be a period of outage when PDC is not online yet but already announced in the DNS records. At this time SSSD would ideally switch to another DC. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Wed Jul 6 08:35:09 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 6 Jul 2016 09:35:09 +0100 Subject: [Freeipa-users] +dnssec in vendor repos - when? Message-ID: seems like official repos, centos at least lags a bit behind, currently it's 4.2.0 - question - does this support fully secure dns ? if not would devel know when we might be able to feed new/latest stable off the official repos? many thanks, L From peljasz at yahoo.co.uk Wed Jul 6 10:24:40 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 6 Jul 2016 11:24:40 +0100 Subject: [Freeipa-users] ipa server(master) and alternative name Message-ID: <0851be69-5e2e-e274-3323-912999af916c@yahoo.co.uk> hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems to hold all servers IPs. I started with: $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 10.5.6.100(which is master's IP) but I feel I got of the wrong foot there, I see with ipa command: ipa: ERROR: cert validation failed for... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) can this be done? many thanks, L From peljasz at yahoo.co.uk Wed Jul 6 10:49:58 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 6 Jul 2016 11:49:58 +0100 Subject: [Freeipa-users] how to make fIPA stick to only... In-Reply-To: <577BEC73.6070508@redhat.com> References: <4aefc1cc-4361-577b-e8ed-7aed598b9c6f@redhat.com> <4fc681ee-b92a-0c43-14dc-fc94ed93c510@yahoo.co.uk> <6c7d8615-5205-a187-59c3-0974739f343e@yahoo.co.uk> <20160704142413.kyurvl3islteoqib@redhat.com> <577BEC73.6070508@redhat.com> Message-ID: <2d4c7ac7-5d48-8fa6-fc6e-4827449e3bef@yahoo.co.uk> On 05/07/16 18:20, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Mon, 04 Jul 2016, lejeczek wrote: >>> >>> >>> On 04/07/16 07:59, Petr Spacek wrote: >>>> On 1.7.2016 16:29, lejeczek wrote: >>>>> >>>>> On 01/07/16 12:41, Petr Vobornik wrote: >>>>>> On 06/30/2016 04:56 PM, lejeczek wrote: >>>>>>> ... its own FQHN and its IP ? >>>>>>> >>>>>>> hi users, >>>>>>> >>>>>>> I'm fiddling with rewrites but being an amateur >>>>>>> cannot figure it out, >>>>>>> it's on a multi/home-IP box. Is it possible? >>>>>>> >>>>>>> many thanks, >>>>>>> >>>>>>> L. >>>>>>> >>>>>> Hi L. >>>>>> >>>>>> Could you describe your environment and use case in >>>>>> more details. >>>>>> It is >>>>>> not clear to me what you are trying to achieve or >>>>>> what doesn't work >>>>>> for you. >>>>>> >>>>>> Thank you >>>>> gee, I though my scenario would be quite common among >>>>> users, >>>>> take a box with more then one net ifs, or even >>>>> multiple IPs - what >>>>> would be >>>>> nice to have is fIPA webui resides/runs only on that >>>>> FQHN and that >>>>> IP to which >>>>> hostname resolves. Eg, here is one single system: >>>>> box1.my.dom.local 10.10.1.1 (eg, I go to >>>>> https://10.10.1.1/) >>>>> ipa.my.dom.local 10.10.1.2 >>>>> currently I get fIPA's webui everywhere, but I'd like >>>>> it to be only at >>>>> ipa.my.dom.local 10.10.1.2 (either if I URL via >>>>> hostname or IP) >>>>> I think it would be great to have included (maybe as >>>>> comments/options) this in >>>>> Apache's configs of IPA furure releases, if possible. >>>>> Is it possible to construct such rules? Or there is >>>>> different, >>>>> simpler way? >>>> I'm still trying to understand your use-case. Why >>>> exactly you need to >>>> limit >>>> the web UI to one 'host name' while keeping it on the >>>> same box? >>>> >>> I'm sorry I cannot explain this better, I my mind it's >>> really simple, >>> if I installed an instance of IPA on a ipa.my.dom.local >>> and the system >>> is a multi-homed/IP host I'd like webui to run only on >>> that host/IP >>> This should not even be a matter of "image a situation >>> where...." but >>> rather assume that IPA's are deployed on such >>> installations and then - >>> why would fIPA have to monopolize all the IP's/IFs there >>> are? >>> Me, I'd like to be able to use httpd under a root of >>> host's other >>> FQHN/IPs with other things. >> Your IPA masters hold passwords and keys to your company's >> infrastructure. We recommend to avoid sharing the servers >> used for >> running IPA masters with any other applications because >> any compromise >> of those applications can and will be used for taking >> over your >> infrastructure as you have so nicely given the keys to >> its heart by >> co-sharing the same system. >> >> It is up to you on how you make up your system defense. >> We as FreeIPA >> upstream developers put considerate effort in ensuring >> our default setup >> is secure enough to avoid such breaches. If you want to >> co-locate other >> applications, you need to understand what you are doing >> and how that >> affects your security. Effectively, you are on your own >> on this path. >> > > FTR, I think this is mostly controlled in > ipa-rewrite.conf. If the requested host is not the IPA > host or the port is not 443 or the request is for / then > ALL requests are redirected to the https://IPAHOST/ipa/ui > > This file should have enough comments to figure out what > part is doing what if you wanted to tweak it. I have to > agree with Alexander though. Running multiple services on > what should be the core of your infrastructure isn't > recommended. > > rob I know chaps, yes, safety is when paranoia next to it, together does look like normal wording, I understand. yes, that I think is the config and seems that to control this behaviour is that one rewrite rule. However, you must also realize that fIPA admins rarely do install on a separate, dedicated boxes, instead I believe these are "heavy, bulky" and fast and multi-role/connected systems. So having an easy way to control fIPA webui config as an option(if not as default) is great, and it seems it's there. thanks. From andreas.ladanyi at kit.edu Wed Jul 6 11:32:37 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Wed, 6 Jul 2016 13:32:37 +0200 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: References: Message-ID: <577CEC55.8090109@kit.edu> Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? regards, Andreas > Hi, > > i try to replace the self signed certificate from the ipa installation > with this description: > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > ipa-server-certinstall -w -d mysite.key mysite.crt > > The tool ask for the private key unlock passwort. The private key was > generated without passwort. I tried out to press only the enter key, but > it doesnt help. So iam confused. The certificate and keyfile are in PEM > format. > > For testing I converted the private key with: > > openssl rsa -in -out > > because i want to know if openssl ask me for a password, but it doesnt. > > My version number is FreeIPA 4.1. > > > regards, > Andreas > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nharrington at i-neda.com Wed Jul 6 11:55:05 2016 From: nharrington at i-neda.com (Neal Harrington | i-Neda Ltd) Date: Wed, 6 Jul 2016 11:55:05 +0000 Subject: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query In-Reply-To: <577BE7FD.1070705@redhat.com> References: , <577BE7FD.1070705@redhat.com> Message-ID: Hi Rob, Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd already tried this several times. Thanks again, Neal. ________________________________ From: Rob Crittenden Sent: 05 July 2016 18:01 To: Neal Harrington | i-Neda Ltd; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Neal Harrington | i-Neda Ltd wrote: > Hi, > > > I have successfully installed FreeIPA server version 4.2.0 on CentOS > 7.2, including replication between servers. I have a few > dozen Ubuntu 14.04 servers joined into IPA for authentication with > various user groups controlling access, sudo permissions etc and overall > I'm very happy. > > > I have however managed to trip myself up by installing the > Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys > are not trusted and ssh login falls back to password based on the Ubuntu > clients. > > > If I uninstall a client, reboot and then reinstall without the > --ssh-trust-dns option then the users ssh key I imported into the web > interface is used and login is automatic over ssh. > > > I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and > can't see anything to control this. Most of my online searches cover > other aspects of ssh host keys in DNS. If I've missed anything obvious > then please point me in the right direction. > > > I have a reasonable number of servers to make this change on and ideally > I'd like to push out the change to a config file and maybe restart a > service. Is this behaviour easy to configure or would it be easier to go > through the uninstall/reboot/reinstall loop? Luckily these are all > testing servers so not a show stopper but I'd prefer to learn what is > actually controlling this. As far as I can tell this option sets this in sshd.conf: VerifyHostKeyDNS = yes HostKeyAlgorithms = ssh-rsa,ssh-dss I assume your DNS doesn't contain the SSHFP entries? rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From BJB at jndata.dk Wed Jul 6 11:58:24 2016 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Wed, 6 Jul 2016 11:58:24 +0000 Subject: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) (SOLVED) Message-ID: <89213DDB84447F44A8E8950A5C2185E04825F073@SJN01013.jnmain00.corp.jndata.net> The solution was to add to root certificate to tomcat: /var/lib/pki/pki-tomcat/alias/ Now everything seems to work. Regards Bjarne From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Bjarne Blichfeldt Sent: 23. juni 2016 13:40 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) Following this thread from January: https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html I am trying to accomplish the same, but seems to be stuck. My environment is: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- # rpm -qa | grep ipa-server ipa-server-4.2.0-15.el7_2.15.x86_64 As the OP I have both a RootCA and a subCA. But I can't figure out how to install them. ipa-cacert-manage does not work, known bug. I am testing by changing the server certificate for ldaps on an ipa replica and then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa against the replica, but the replica server certificate is never accepted due to missing root certificate. The problem is how to install the root certificates. I have tried: Copy the root certificates to /etc/pki/ca-trust/source/anchors and run update-ca-trust - no go. Installed the root Ca's in all the nssdb I could think of: DIR="/etc/httpd/alias /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb /etc/pki/nssdb" for dir in $DIR ; do certutil -d $dir -A -n ECBsubCA -i subCA-sha256.pem -t CT,T,T certutil -d $dir -A -n ECBrootCA -i rootCA-sha256.pem -t CT,T,T done Also no go. I am out of ideas now. -- Regards, Bjarne -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 6 12:57:48 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Jul 2016 08:57:48 -0400 Subject: [Freeipa-users] ipa server(master) and alternative name In-Reply-To: <0851be69-5e2e-e274-3323-912999af916c@yahoo.co.uk> References: <0851be69-5e2e-e274-3323-912999af916c@yahoo.co.uk> Message-ID: <577D004C.4090200@redhat.com> lejeczek wrote: > hi users, > > I'd like to ask if it possible to add (after deployment is finished) an > AltSubjectName to fIPA master? I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking right but it should be doable. > I shall say what I'm hoping to achieve - having 3 servers I hope to have > in IPA's DNS a host, A record that will be resolving to three server's > IPs. Like eg. ipa-ca which seems to hold all servers IPs. > > I started with: > > $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address > 10.5.6.100(which is master's IP) For what purpose, to make it easier for users to find the IPA server? > but I feel I got of the wrong foot there, I see with ipa command: > > ipa: ERROR: cert validation failed for... > > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked > as not trusted by the user.) I assume you've already played with the certificates? The DNS change you made wouldn't cause this error. rob From rcritten at redhat.com Wed Jul 6 13:01:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Jul 2016 09:01:33 -0400 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: <577CEC55.8090109@kit.edu> References: <577CEC55.8090109@kit.edu> Message-ID: <577D012D.2070203@redhat.com> Andreas Ladanyi wrote: > Hi, > > is it possible that ipa-server-certinstall couldnt handle private keys > without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket > i would test it with a self-signed certificate and test private key file > secured with password, but i dont know whats happen after entering a > valid private key unlock password. Could i stop the certificate import > process at this point, so no change will happen to my productive ipa > server ? I would not recommend experimenting with random certificates. It should be possible to add a password to your private key. A quick google found http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key rob > > regards, > Andreas >> Hi, >> >> i try to replace the self signed certificate from the ipa installation >> with this description: >> >> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> >> ipa-server-certinstall -w -d mysite.key mysite.crt >> >> The tool ask for the private key unlock passwort. The private key was >> generated without passwort. I tried out to press only the enter key, but >> it doesnt help. So iam confused. The certificate and keyfile are in PEM >> format. >> >> For testing I converted the private key with: >> >> openssl rsa -in -out >> >> because i want to know if openssl ask me for a password, but it doesnt. >> >> My version number is FreeIPA 4.1. >> >> >> regards, >> Andreas >> >> >> > > > From rcritten at redhat.com Wed Jul 6 13:02:30 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Jul 2016 09:02:30 -0400 Subject: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query In-Reply-To: References: <577BE7FD.1070705@redhat.com> Message-ID: <577D0166.8060309@redhat.com> Neal Harrington | i-Neda Ltd wrote: > Hi Rob, > > > Thank you very much for your message. Unfortunately/fortunately after > rebooting or restarting the ssh server this morning it is all working as > I would expect. I'm not sure what I was missing yesterday but suspect a > combination of sssd caching may have been confusing me as I'm sure > I'd already tried this several times. Very strange indeed. The sssd cache is persistent so rebooting shouldn't have affected it at all. rob > > > Thanks again, > Neal. > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *Sent:* 05 July 2016 18:01 > *To:* Neal Harrington | i-Neda Ltd; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and > user ssh key query > Neal Harrington | i-Neda Ltd wrote: >> Hi, >> >> >> I have successfully installed FreeIPA server version 4.2.0 on CentOS >> 7.2, including replication between servers. I have a few >> dozen Ubuntu 14.04 servers joined into IPA for authentication with >> various user groups controlling access, sudo permissions etc and overall >> I'm very happy. >> >> >> I have however managed to trip myself up by installing the >> Ubuntu clients with the --ssh-trust-dns option and now my users ssh keys >> are not trusted and ssh login falls back to password based on the Ubuntu >> clients. >> >> >> If I uninstall a client, reboot and then reinstall without the >> --ssh-trust-dns option then the users ssh key I imported into the web >> interface is used and login is automatic over ssh. >> >> >> I've looked through all the obvious places (/etc/ssh, sss, pam, etc) and >> can't see anything to control this. Most of my online searches cover >> other aspects of ssh host keys in DNS. If I've missed anything obvious >> then please point me in the right direction. >> >> >> I have a reasonable number of servers to make this change on and ideally >> I'd like to push out the change to a config file and maybe restart a >> service. Is this behaviour easy to configure or would it be easier to go >> through the uninstall/reboot/reinstall loop? Luckily these are all >> testing servers so not a show stopper but I'd prefer to learn what is >> actually controlling this. > > As far as I can tell this option sets this in sshd.conf: > > VerifyHostKeyDNS = yes > HostKeyAlgorithms = ssh-rsa,ssh-dss > > I assume your DNS doesn't contain the SSHFP entries? > > rob > > From peljasz at yahoo.co.uk Wed Jul 6 13:20:47 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 6 Jul 2016 14:20:47 +0100 Subject: [Freeipa-users] ipa server(master) and alternative name In-Reply-To: <577D004C.4090200@redhat.com> References: <0851be69-5e2e-e274-3323-912999af916c@yahoo.co.uk> <577D004C.4090200@redhat.com> Message-ID: <2ed1231c-183b-53ab-e2d3-269d22b5eefa@yahoo.co.uk> On 06/07/16 13:57, Rob Crittenden wrote: > lejeczek wrote: >> hi users, >> >> I'd like to ask if it possible to add (after deployment >> is finished) an >> AltSubjectName to fIPA master? > > I don't see why not, they are just certs after all. You > would need to be careful to get the certmonger tracking > right but it should be doable. > >> I shall say what I'm hoping to achieve - having 3 servers >> I hope to have >> in IPA's DNS a host, A record that will be resolving to >> three server's >> IPs. Like eg. ipa-ca which seems to hold all servers IPs. >> >> I started with: >> >> $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address >> 10.5.6.100(which is master's IP) > > For what purpose, to make it easier for users to find the > IPA server? not, IPA, simplest thing I'd like have to use same apache IPA on all serves use - a local yum repos to be served from/via dns roundrobin. > >> but I feel I got of the wrong foot there, I see with ipa >> command: >> >> ipa: ERROR: cert validation failed for... >> >> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer >> has been marked >> as not trusted by the user.) > > I assume you've already played with the certificates? The > DNS change you made wouldn't cause this error. > no, actually I have not, I did not add a host nor a service nor a cert, there is no trace of "linux" anywhere, only dns A record - to get rid of the error I have to remove that new host & restart IPA. > rob > From simecek.tomas at gmail.com Wed Jul 6 13:22:34 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 6 Jul 2016 15:22:34 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: Hi Danila and other freeipa gurus, sorry for my late answer, there is a bank holiday in CZ and I am off work these two days. Yes, /etc/nsswitch.conf is fine, see: [root at spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo sudoers: files sss I think it is set up as part of freeipa-client package. I went through this guide: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO so I guess things are set right. When I try to sudo as domain user, sssd_linuxdomain.cz.log says followng: (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.sudoHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler] (0x0400): Entering be_sudo_handler() (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_handler] (0x0400): Issuing a refresh of specific sudo rules (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectClass=sudoRole)(|(cn=Pokusne)))(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= spcss-2t-www.linuxdomain.cz )(sudoHost=spcss-2t-www)(sudoHost=10.1.62.88)(sudoHost= 10.1.62.0/24)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][ou=sudoers,dc=linuxdomain,dc=cz ]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 6 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Pokusne,ou=sudoers,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 6 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_load_done] (0x0400): Received 1 rules (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_sudo_purge_byname] (0x2000): Deleting sudo rule Pokusne (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule Pokusne (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [16136] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23893178c0], connected[1], ops[(nil)], ldap[0x7f2389333ff0] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=grpunixadmins] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 22 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be processed individually (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 23 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f2389358c20], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 23 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is a posix group (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [grpunixadmins]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [grpunixadmins]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is not a posix group (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [ad_admins_external]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [ad_admins_external]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group grpunixadmins (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Adding member users to group [grpunixadmins] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_fill_memberships] (0x1000): member #0 (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group ad_admins_external (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): No members for group [ad_admins_external] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] (0x2000): No external members, done(Wed Jul 6 15:19:54 2016) [sssd[be[ linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 24 timeout 60 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23892e20d0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 24 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 25 timeout 60 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893168e0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 25 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 26 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 26 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 26 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 27 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 27 timeout 6 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[0x7f23893290a0], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 27 finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f23892e30b0], connected[1], ops[(nil)], ldap[0x7f2389352030] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 32185 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f2389359480] immediately. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1199 (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32186] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f2389359480] done. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [32186]. (Wed Jul 6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [32186] finished successfully. I'll appreciate any other hints if you have some. Thanks, Tomas Simecek 2016-07-05 15:58 GMT+02:00 Danila Ladner : > What about /etc/nsswitch.conf? > Does it have "sudo: files sss"? > > On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek > wrote: > >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our Unix admins >> can authenticate on Linux servers using their Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >> work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for simecek.tomas at sd-stc.cz: >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the problem on client >> side could be: >> >> [root at spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >> >> But this seems to work: >> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ >> Password for simecek.tomas at SD-STC.CZ: >> [root at spcss-2t-www ~]# klist >> Default principal: simecek.tomas at SD-STC.CZ >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> .... >> >> My /etc/krb5.conf: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = LINUXDOMAIN.CZ >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> [realms] >> LINUXDOMAIN.CZ = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> >> [domain_realm] >> .linuxdomain.cz = LINUXDOMAIN.CZ >> linuxdomain.cz = LINUXDOMAIN.CZ >> >> Would you please suggest which way to investigate? >> >> Thanks >> >> Tomas Simecek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Wed Jul 6 14:37:55 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 6 Jul 2016 15:37:55 +0100 Subject: [Freeipa-users] dns zone forward - no valid signature found Message-ID: hi everybody I think this was working some time ago, but for while queries IPA's DNS forwards wound up like this: validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS) error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53 dig at IPA DNS and nothing, logs: validating @0x7f85e0134880: my.dom SOA: no valid signature found validating @0x7f85e0134880: my.dom NSEC: no valid signature found validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS) I dig +dnssec directly at the receiving server and result seems normal, no errors. IPA's dns is not dnsseced, is this the root of the problem? Or what else might be? bw. L From andreas.ladanyi at kit.edu Wed Jul 6 14:41:23 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Wed, 6 Jul 2016 16:41:23 +0200 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: <577D012D.2070203@redhat.com> References: <577CEC55.8090109@kit.edu> <577D012D.2070203@redhat.com> Message-ID: <577D1893.7030403@kit.edu> Hi Rob, >> Hi, >> >> is it possible that ipa-server-certinstall couldnt handle private keys >> without password ? > > You can file an RFE at https://fedorahosted.org/freeipa/newticket It seems that ipa-server-certinstall couldnt handle private keys with passwort, too. See my result below. > >> i would test it with a self-signed certificate and test private key file >> secured with password, but i dont know whats happen after entering a >> valid private key unlock password. Could i stop the certificate import >> process at this point, so no change will happen to my productive ipa >> server ? > > I would not recommend experimenting with random certificates. > > It should be possible to add a password to your private key. A quick > google found > http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key Thats a great idea. I have done so and tested again: openssl rsa -des3 -in private.key -out private_key_with_pw.key ipa-server-certinstall -w certificate.pem private_key_with_pw.key After entering the password to unlock private key i get the message: Insufficient access: Invalid credentials Andreas From jhrozek at redhat.com Wed Jul 6 15:03:10 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 6 Jul 2016 17:03:10 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: <20160706150310.GG3921@hendrix> On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > Hi Danila and other freeipa gurus, > sorry for my late answer, there is a bank holiday in CZ and I am off work > these two days. > Yes, /etc/nsswitch.conf is fine, see: > > [root at spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo > sudoers: files sss > > I think it is set up as part of freeipa-client package. > I went through this guide: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO We also need to see sssd_sudo.log and the log from the sudo itself (configured in /etc/sudo.conf) From ladner.danila at gmail.com Wed Jul 6 15:09:42 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Wed, 6 Jul 2016 11:09:42 -0400 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: <20160706150310.GG3921@hendrix> References: <20160706150310.GG3921@hendrix> Message-ID: Yeah, please enable logging in [sudo] section of sssd. On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozek wrote: > On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > > Hi Danila and other freeipa gurus, > > sorry for my late answer, there is a bank holiday in CZ and I am off work > > these two days. > > Yes, /etc/nsswitch.conf is fine, see: > > > > [root at spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo > > sudoers: files sss > > > > I think it is set up as part of freeipa-client package. > > I went through this guide: > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > We also need to see sssd_sudo.log and the log from the sudo itself > (configured in /etc/sudo.conf) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Wed Jul 6 17:06:39 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 6 Jul 2016 22:36:39 +0530 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired Message-ID: Hi, We are using FreeIPA's LDAP as the base for user authentication in a different application. So far I have created a sysaccount which does the lookup etc for a user and things are working as expected. I'm even able to use OTP from the external app. One problem I'm struggling to fix is the expired passwords. Is there a way to deny bind to LDAP only from this application? Obviously the user would need to go to IPA's web UI and reset his password there. I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but looks like this is an old one. Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From joannadelaporte at gmail.com Wed Jul 6 17:16:16 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Wed, 6 Jul 2016 12:16:16 -0500 Subject: [Freeipa-users] Can I migrate group password hashes from NIS? Message-ID: I have successfully migrated some user password hashes from an NIS domain. I am wondering if there is a similar method for migrating group passwords. I haven't found any discussion or documentation on it. Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From khankin.konstantin at gmail.com Wed Jul 6 17:50:47 2016 From: khankin.konstantin at gmail.com (Konstantin M. Khankin) Date: Wed, 6 Jul 2016 20:50:47 +0300 Subject: [Freeipa-users] FreeIPA 4.2.0 and Windows XP Message-ID: Hi! I'm trying to set up Windows XP to get a Kerberos ticket for the user on login using the following docs: * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA * http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step * Discussion at https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html I can obtain kerberos ticket using kinit from JRE (for some reasons I can't find other kinit in Windows), but I can't logon. I tried the following: 1) ksetup /mapuser * * 2) ksetup /mapuser * 3) ksetup /mapuser user at DOMAIN user 4) logging not into Kerberos realm, but into local computer using user at DOMAIN login 5) logging into Kerberos realm using "user" login 6) logging into Kerberos realm using user at DOMAIN login With any of these I see successful attempts in krb5kdc.log (so the user passes pre-auth against kdc), but Windows keep saying that the username or password is not correct. I also tried to reset user's password in freeipa and then login - windows asked to change password and successfully changed it, but still doesn't let the user in I have no problems with this setup on 2 computers with Windows 7. Haven't tried other computers running Windows XP though What am I doing wrong? Thanks! -- Konstantin Khankin -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jul 6 17:58:28 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 6 Jul 2016 20:58:28 +0300 Subject: [Freeipa-users] FreeIPA 4.2.0 and Windows XP In-Reply-To: References: Message-ID: <20160706175828.l2ph6hu67erkzarf@redhat.com> On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: >Hi! > >I'm trying to set up Windows XP to get a Kerberos ticket for the user on >login using the following docs: > >* http://www.freeipa.org/page/Windows_authentication_against_FreeIPA >* >http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step >* Discussion at >https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html > >I can obtain kerberos ticket using kinit from JRE (for some reasons I can't >find other kinit in Windows), but I can't logon. I tried the following: >1) ksetup /mapuser * * >2) ksetup /mapuser * >3) ksetup /mapuser user at DOMAIN user >4) logging not into Kerberos realm, but into local computer using >user at DOMAIN login >5) logging into Kerberos realm using "user" login >6) logging into Kerberos realm using user at DOMAIN login > >With any of these I see successful attempts in krb5kdc.log (so the user >passes pre-auth against kdc), but Windows keep saying that the username or >password is not correct. > >I also tried to reset user's password in freeipa and then login - windows >asked to change password and successfully changed it, but still doesn't let >the user in > >I have no problems with this setup on 2 computers with Windows 7. Haven't >tried other computers running Windows XP though > >What am I doing wrong? No idea. We don't support this setup at all so your mileage indeed varies a lot. Did you look at the eventlog on Windows XP? -- / Alexander Bokovoy From khankin.konstantin at gmail.com Wed Jul 6 18:00:09 2016 From: khankin.konstantin at gmail.com (Konstantin M. Khankin) Date: Wed, 6 Jul 2016 21:00:09 +0300 Subject: [Freeipa-users] FreeIPA 4.2.0 and Windows XP In-Reply-To: <20160706175828.l2ph6hu67erkzarf@redhat.com> References: <20160706175828.l2ph6hu67erkzarf@redhat.com> Message-ID: Yes, I had a look at the eventlog, but there are no failures and no events at all related to failed login. Maybe I can increase verbosity level somehow? 2016-07-06 20:58 GMT+03:00 Alexander Bokovoy : > On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: > >> Hi! >> >> I'm trying to set up Windows XP to get a Kerberos ticket for the user on >> login using the following docs: >> >> * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA >> * >> >> http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step >> * Discussion at >> https://www.redhat.com/archives/freeipa-users/2008-November/msg00063.html >> >> I can obtain kerberos ticket using kinit from JRE (for some reasons I >> can't >> find other kinit in Windows), but I can't logon. I tried the following: >> 1) ksetup /mapuser * * >> 2) ksetup /mapuser * >> 3) ksetup /mapuser user at DOMAIN user >> 4) logging not into Kerberos realm, but into local computer using >> user at DOMAIN login >> 5) logging into Kerberos realm using "user" login >> 6) logging into Kerberos realm using user at DOMAIN login >> >> With any of these I see successful attempts in krb5kdc.log (so the user >> passes pre-auth against kdc), but Windows keep saying that the username or >> password is not correct. >> >> I also tried to reset user's password in freeipa and then login - windows >> asked to change password and successfully changed it, but still doesn't >> let >> the user in >> >> I have no problems with this setup on 2 computers with Windows 7. Haven't >> tried other computers running Windows XP though >> >> What am I doing wrong? >> > No idea. We don't support this setup at all so your mileage indeed > varies a lot. > > Did you look at the eventlog on Windows XP? > > -- > / Alexander Bokovoy > -- ?????? ?????????? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jul 6 18:10:33 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 6 Jul 2016 21:10:33 +0300 Subject: [Freeipa-users] FreeIPA 4.2.0 and Windows XP In-Reply-To: References: <20160706175828.l2ph6hu67erkzarf@redhat.com> Message-ID: <20160706181033.vq6bt2z7jolkmzni@redhat.com> On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: >Yes, I had a look at the eventlog, but there are no failures and no events >at all related to failed login. Maybe I can increase verbosity level >somehow? Try to intercept network traffic between Windows XP and IPA master. May be it tries to use DCE RPC over SMB as well? -- / Alexander Bokovoy From sparky at charlietango.com Wed Jul 6 19:30:56 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Wed, 6 Jul 2016 15:30:56 -0400 Subject: [Freeipa-users] k5login not working? Message-ID: I must be missing something really obvious. Our IPA server is set up in the usual way on CentOS 7.2, just a ?yum install ipa-server? and then an ?ipa-server-install.? DNS is set up correctly and is working. I?ve got a handful of CentOS 7.2 servers configured as IPA clients ? ?yum install ipa-client?, ?ipa-client-install.? Auto-detection of the realm, domain and server were normal. But k5login is not working as expected. If I have this .k5login file in the admin user?s home directory on server A: alice at CHARLIETANGO.COMbob@CHARLIETANGO.COM I would expect to be able to do this: kinit alice at CHARLIETANGO.COM ssh -K admin at serverA from anywhere in the Kerberos realm. Instead my credentials get rejected and I?m asked for the admin user?s password. It feels like sshd on the server isn?t even looking at k5login. (I also tried k5users; same result.) The permissions on .k5login are correct. I tried it with SELinux off as well just in case that was it. What blindingly obvious thing have I overlooked? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Jul 6 20:00:46 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 6 Jul 2016 22:00:46 +0200 Subject: [Freeipa-users] k5login not working? In-Reply-To: References: Message-ID: <20160706200046.GF30099@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > I must be missing something really obvious. > > Our IPA server is set up in the usual way on CentOS 7.2, just a ?yum > install ipa-server? and then an ?ipa-server-install.? DNS is set up > correctly and is working. > > I?ve got a handful of CentOS 7.2 servers configured as IPA clients ? ?yum > install ipa-client?, ?ipa-client-install.? Auto-detection of the realm, > domain and server were normal. > > But k5login is not working as expected. If I have this .k5login file in the > admin user?s home directory on server A: > > alice at CHARLIETANGO.COMbob@CHARLIETANGO.COM > > I would expect to be able to do this: > > kinit alice at CHARLIETANGO.COM > ssh -K admin at serverA > > from anywhere in the Kerberos realm. Instead my credentials get rejected > and I?m asked for the admin user?s password. > > It feels like sshd on the server isn?t even looking at k5login. (I also > tried k5users; same result.) > > The permissions on .k5login are correct. I tried it with SELinux off as > well just in case that was it. > > What blindingly obvious thing have I overlooked? I guess you have an issue similar to https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth plugin provided by SSSD has too stricts default settings. One is the 'enable_only = sssd' option in the config snippet. The other is that it acts authoritative for SSSD users. A fix for both was just pushed upstream today. If you currently do not need the localauth plugin you can disable it by creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin file and make it unmodifiable with chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin This should allow the default methods including k5login again. Please note that you might need to add the old RULE based mapping as described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html or add .k5login files for every user to make GSSAPI authentication work smoothly. As an alternative we hope to release the next SSSD version including the patches anytime soon and later on there might be build for 7.2 available. HTH bye, Sumit > > Thanks. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From joannadelaporte at gmail.com Wed Jul 6 20:19:19 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Wed, 6 Jul 2016 15:19:19 -0500 Subject: [Freeipa-users] NFS automount - doesn't update UID/GID info on client after chown on nfs server Message-ID: Hi there, I am still working on migrating my users from NIS to IPA. I have a lot of it working. However, the issue I am dealing with now is that NFS UID ownership on nfs/ipa-client machine is not updating when I change the owner's UID and update the files ownership on the NFS server. I refreshed the sssd cache and restarted nfs-idmapd before changing owner on the NFS server, to make sure I had the most up-to-date info from the IPA server. The user (20182) correctly owns the files on the NFS server. I refreshed the sssd cache on the nfs/ipa-client. I also tried restarting nfs-client.target and relogging. No dice. My user files are still owned by old UID (20114) on the client, even though they are automounted from the NFS server. The user entity is correct on the client (UID 20182). How do I get the file ownership info to update correctly on the nfs client? -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sparky at charlietango.com Wed Jul 6 20:59:36 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Wed, 6 Jul 2016 16:59:36 -0400 Subject: [Freeipa-users] k5login not working? In-Reply-To: <20160706200046.GF30099@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160706200046.GF30099@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: Oh wow, I see. I did some playing around with /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a minimum-change scenario and found that this: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so # enable_only = sssd } seems to get me where I need to be. Adding that one character seems to be enough to make .k5login work as expected. Specifically: Take a brand new IPA client, created with ?ipa-client-install? and accepting the defaults. Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out the enable_only line as above. cat <<'EOF' > /root/.k5loginyourusername at YOURDOMAIN.COM EOF >From another computer anywhere in the domain: kinit yourusername at YOURDOMAIN.COM Then: ssh -K root at wherever This works for me. I?ve got all my servers under Salt config management anyway, so it?s not *that* big a deal to add that one byte to each of them. Thank you very, very much for the help. On July 6, 2016 at 1:00:53 PM, Sumit Bose (sbose at redhat.com) wrote: On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > I must be missing something really obvious. > > Our IPA server is set up in the usual way on CentOS 7.2, just a ?yum > install ipa-server? and then an ?ipa-server-install.? DNS is set up > correctly and is working. > > I?ve got a handful of CentOS 7.2 servers configured as IPA clients ? ?yum > install ipa-client?, ?ipa-client-install.? Auto-detection of the realm, > domain and server were normal. > > But k5login is not working as expected. If I have this .k5login file in the > admin user?s home directory on server A: > > alice at CHARLIETANGO.COMbob@CHARLIETANGO.COM > > I would expect to be able to do this: > > kinit alice at CHARLIETANGO.COM > ssh -K admin at serverA > > from anywhere in the Kerberos realm. Instead my credentials get rejected > and I?m asked for the admin user?s password. > > It feels like sshd on the server isn?t even looking at k5login. (I also > tried k5users; same result.) > > The permissions on .k5login are correct. I tried it with SELinux off as > well just in case that was it. > > What blindingly obvious thing have I overlooked? I guess you have an issue similar to https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth plugin provided by SSSD has too stricts default settings. One is the 'enable_only = sssd' option in the config snippet. The other is that it acts authoritative for SSSD users. A fix for both was just pushed upstream today. If you currently do not need the localauth plugin you can disable it by creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin file and make it unmodifiable with chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin This should allow the default methods including k5login again. Please note that you might need to add the old RULE based mapping as described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html or add .k5login files for every user to make GSSAPI authentication work smoothly. As an alternative we hope to release the next SSSD version including the patches anytime soon and later on there might be build for 7.2 available. HTH bye, Sumit > > Thanks. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 6 21:24:06 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Jul 2016 17:24:06 -0400 Subject: [Freeipa-users] Can I migrate group password hashes from NIS? In-Reply-To: References: Message-ID: <577D76F6.70502@redhat.com> Joanna Delaporte wrote: > I have successfully migrated some user password hashes from an NIS > domain. I am wondering if there is a similar method for migrating group > passwords. I haven't found any discussion or documentation on it. You do it the same way as users. Note that there are no IPA commands to manage a group password and group passwords are completely untested (the attribute is available though). rob From mkosek at redhat.com Thu Jul 7 06:49:49 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 7 Jul 2016 08:49:49 +0200 Subject: [Freeipa-users] Password sync settings not working In-Reply-To: <1671523.bhMpoLTfq6@hosanna> References: <1711638.VYOPI54qdq@hosanna> <1671523.bhMpoLTfq6@hosanna> Message-ID: <9268fae3-89fa-8a1d-a733-e00d03e8d2fd@redhat.com> Good! Thanks for confirmation (I suspected PEBKAC, thus my questions). Martin On 07/02/2016 10:01 PM, Joshua J. Kugler wrote: > Thanks. In a case of extreme PEBKAC, I had copied the example and failed to > update the DN. It works now. > > j > > > On Monday, June 13, 2016 09:35:53 Martin Kosek wrote: >> On 06/10/2016 01:59 AM, Joshua J. Kugler wrote: >>> Howdy! >>> >>> We are trying to set up password sync. I have read this: >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h >>> tml-single/Windows_Integration_Guide/index.html#password-sync >>> >>> I have added that attribute: >>> echo -e 'dn: cn=ipa_pwd_extop,cn=plugins,cn=config\nchangetype: >>> modify\nadd: passSyncManagersDNs\npassSyncManagersDNs: >>> uid=admin,cn=users,cn=accounts,dc=example,dc=com' | ldapmodify -x -D >>> 'cn=Directory Manager' -w {{ ipaserver_dir_admin_password }} -h localhost >>> -p 389 >>> >>> However, when I reset a password as the 'admin' user, the user's password >>> is still set to expired. This is CentOS 7 with the latest FreeIPA there. >>> >>> What might I be missing? >> >> I would try to double check that the passSyncManagersDNs is indeed filled >> properly in the plugin configuration. Base ldapsearch will help. >> >> Then I would also recommend checking your global password policy "ipa >> pwpolicy-show" to make sure that you for example do not have the password >> max life set to 0, which would cause this behavior in current FreeIPA >> version. >> >> Martin > From pspacek at redhat.com Thu Jul 7 07:04:01 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jul 2016 09:04:01 +0200 Subject: [Freeipa-users] +dnssec in vendor repos - when? In-Reply-To: References: Message-ID: On 6.7.2016 10:35, lejeczek wrote: > seems like official repos, centos at least lags a bit behind, currently it's > 4.2.0 - question - does this support fully secure dns ? Version 4.2.0 is not the best for DNSSEC deployment. IPA 4.3.1 contains important fixes related to DNSSEC. Please note that even 4.3.1 contains some bug which may force you to restart named-pkcs11 from time to time. We did not find the root cause yet. > if not would devel know when we might be able to feed new/latest stable off > the official repos? Exact date is unclear, as usual. Stay tuned :-) -- Petr^2 Spacek From pspacek at redhat.com Thu Jul 7 07:09:36 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jul 2016 09:09:36 +0200 Subject: [Freeipa-users] dns zone forward - no valid signature found In-Reply-To: References: Message-ID: <8922f8ec-5628-623c-64e9-6d95511c7d04@redhat.com> On 6.7.2016 16:37, lejeczek wrote: > hi everybody > > I think this was working some time ago, but for while queries IPA's DNS > forwards wound up like this: > > validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found > validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS) > error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53 > > dig at IPA DNS and nothing, logs: > > validating @0x7f85e0134880: my.dom SOA: no valid signature found > validating @0x7f85e0134880: my.dom NSEC: no valid signature found > validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found > validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS) > > I dig +dnssec directly at the receiving server and result seems normal, no > errors. > > IPA's dns is not dnsseced, is this the root of the problem? Or what else might > be? Obfuscated domain names are making impossible to tell where the problem lies. Try dnsviz.net or similar tool, enter domain name into it and let it diagnose the domain for you. If DNSviz claims that the domain is correctly signed (or not) then the problem is likely in forwarder configuration. All forwarders used in your DNS chain have to be configured with equivalent of named.conf option 'dnssec-enable yes;'. I hope this helps. -- Petr^2 Spacek From pspacek at redhat.com Thu Jul 7 07:14:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jul 2016 09:14:35 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <2310076.IhaplX0rCg@techz> References: <3253760.hiacI6SPC6@techz> <4253691.QxeogKA5rI@techz> <3bd573a9-8a31-0031-7f65-19d4c1aa48f7@redhat.com> <2310076.IhaplX0rCg@techz> Message-ID: <82a069e0-543e-f1bc-a36b-c93e8bcac686@redhat.com> On 23.6.2016 15:27, G?nther J. Niederwimmer wrote: > Hello Martin, > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: >> On 20.06.2016 18:48, G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: >>>> On 18.6.2016 15:03, G?nther J. Niederwimmer wrote: >>>>> hello, >>>>> >>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: >>>>>> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: >>>>>>>> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: >>>>>>>>> Hello List, >>>>>>>>> >>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>>>>>>>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >>>>>>>>>>>> Hello >>>>>>>>>>>> >>>>>>>>>>>> on my system the ods-exporter i mean have a problem. >>>>>>>>>>>> >>>>>>>>>>>> I have this in the logs >>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1 >>>>>>>>>>>> >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise >>>>>>>>>>>> errors.ACIError(info=info) >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>>>>>>>>>> Insufficient >>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>>>>>>>>>>> failure. >>>>>>>>>>>> Minor code may provide more information (Ticket expired) >>>>>>>>>>>> >>>>>>>>>>> ^^^^^^^^^^^^^^ >>>>>>>>>>> >>>>>>>>>>> Here seems to be a reason why it failed. >>>>>>>>>>> But I can't help you more. >>>>>>>>>> >>>>>>>>>> Lukas is right. Interesting, this should never happen :-) >>>>>>>>> >>>>>>>>> this have I also found ;-) >>>>>>>>> >>>>>>>>>> Please enable debugging using procedure >>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_ >>>>>>>>>> re >>>>>>>>>> tu >>>>>>>>>> rn >>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. >>>>>>>>>> Thank you! >>>>>>>>> >>>>>>>>> OK, >>>>>>>>> >>>>>>>>> I attache the messages log? >>>>>>>>> >>>>>>>>> I mean this is a problem with my DNS ? >>>>>>>> >>>>>>>> Hello, >>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? >>>>>>>> >>>>>>>> identity/services/ipa-ods-exported/ >>>>>>>> There should be kerberos status in right top corner in details view >>>>>>> >>>>>>> I have a >>>>>>> identity/services/ipa-ods-exporter/.. >>>>>>> >>>>>>> with a "Kerberos Key Present, Service Provisioned" >>>>>>> >>>>>>> but no Certificate ? >>>>>> >>>>>> Can you try, >>>>>> >>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab >>>>>> ipa-ods-exporter/$(hostname) >>>>> >>>>> OK >>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- >>>>> exporter/$(hostname)" >>>>> >>>>> written on one line!! is this OK. >>>>> >>>>>> and do ldapsearch >>>>>> # ldapsearch -Y GSSAPI >>>>> >>>>> and also ldapsearch is OK >>>>> >>>>>> It should show us if keytab is okay >>>>> >>>>> But the Error is present :-(. >>>> >>>> We need to see precise error. Please copy&paste it into the e-mail. >>> >>> that is it. >>> >>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. >>> >>>> It would be awesome if you could follow general rules for bug reporting: >>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html >>>> >>>> Besides other things it would allow us to help you in shorter time. >>>> >>>> Have a nice day! >> >> This is weird, It looks like your kerberos keytab is valid, but I have >> no idea why you are getting ticket expired messages. It should just >> kinit again. >> >> Can you please remove this ccache file? >> /var/opendnssec/tmp/ipa-ods-exporter.ccache > > OK now i make a ipactl stop remove the ccache file and start ipa again. > > to start the ods-exporte I have to wait a long time 1-2 min. ;-) > > I send you the log without debug when you like this with debug tell me. > Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last): > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- > exporter", line 656, in > Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind() > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ > ipapython/ipaldap.py", line 1085, in gssapi_bind > Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, > client_controls) > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ > contextlib.py", line 35, in __exit__ > Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ > ipapython/ipaldap.py", line 992, in error_handler > Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) > Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient > access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Ticket expired) > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process exited, > code=exited, status=1/FAILURE > Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed > state. > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed. This is really weird, I have no idea what happened. We can try a big hammer: Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g. /etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT and re-run ipa-dns-install with the same options as you used for the first time. It should re-create the keytab and all other things. I hope it will help. -- Petr^2 Spacek From sbose at redhat.com Thu Jul 7 08:46:52 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 7 Jul 2016 10:46:52 +0200 Subject: [Freeipa-users] k5login not working? In-Reply-To: References: <20160706200046.GF30099@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160707084652.GA2919@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Jul 06, 2016 at 04:59:36PM -0400, Jeffery Harrell wrote: > Oh wow, I see. I did some playing around with > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a > minimum-change scenario and found that this: > > [plugins] > localauth = { > module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so > # enable_only = sssd > } > > seems to get me where I need to be. Adding that one character seems to be > enough to make .k5login work as expected. > > Specifically: > > Take a brand new IPA client, created with ?ipa-client-install? and > accepting the defaults. > > Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out > the enable_only line as above. > > cat <<'EOF' > /root/.k5loginyourusername at YOURDOMAIN.COM > EOF > > From another computer anywhere in the domain: > > kinit yourusername at YOURDOMAIN.COM > > Then: > > ssh -K root at wherever > > This works for me. I?ve got all my servers under Salt config management > anyway, so it?s not *that* big a deal to add that one byte to each of them. ok, make sense. As long as the target users are local (from /etc/passwd) removing 'enable_only = sssd'. For IPA users sssd_krb5_localauth_plugin would still act authoritative, i.e. you have to remove/comment-out it as well if you want to use k5login for IPA user to IPA user. Please note that SSSD will rewrite the file on restart, so you still might want to use chattr +i to keep your changes. > > Thank you very, very much for the help. You're welcome. bye, Sumit > > > > > On July 6, 2016 at 1:00:53 PM, Sumit Bose (sbose at redhat.com) wrote: > > On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > > I must be missing something really obvious. > > > > Our IPA server is set up in the usual way on CentOS 7.2, just a ?yum > > install ipa-server? and then an ?ipa-server-install.? DNS is set up > > correctly and is working. > > > > I?ve got a handful of CentOS 7.2 servers configured as IPA clients ? ?yum > > install ipa-client?, ?ipa-client-install.? Auto-detection of the realm, > > domain and server were normal. > > > > But k5login is not working as expected. If I have this .k5login file in > the > > admin user?s home directory on server A: > > > > alice at CHARLIETANGO.COMbob@CHARLIETANGO.COM > > > > I would expect to be able to do this: > > > > kinit alice at CHARLIETANGO.COM > > ssh -K admin at serverA > > > > from anywhere in the Kerberos realm. Instead my credentials get rejected > > and I?m asked for the admin user?s password. > > > > It feels like sshd on the server isn?t even looking at k5login. (I also > > tried k5users; same result.) > > > > The permissions on .k5login are correct. I tried it with SELinux off as > > well just in case that was it. > > > > What blindingly obvious thing have I overlooked? > > I guess you have an issue similar to > https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth > plugin provided by SSSD has too stricts default settings. One is the > 'enable_only = sssd' option in the config snippet. The other is that it > acts authoritative for SSSD users. A fix for both was just pushed > upstream today. > > If you currently do not need the localauth plugin you can disable it by > creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > file and make it unmodifiable with > > chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > > This should allow the default methods including k5login again. Please > note that you might need to add the old RULE based mapping as described > in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html > or add .k5login files for every user to make GSSAPI authentication work > smoothly. > > As an alternative we hope to release the next SSSD version including the > patches anytime soon and later on there might be build for 7.2 > available. > > HTH > > bye, > Sumit > > > > > Thanks. > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project From gjn at gjn.priv.at Thu Jul 7 09:32:10 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 07 Jul 2016 11:32:10 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <82a069e0-543e-f1bc-a36b-c93e8bcac686@redhat.com> References: <3253760.hiacI6SPC6@techz> <2310076.IhaplX0rCg@techz> <82a069e0-543e-f1bc-a36b-c93e8bcac686@redhat.com> Message-ID: <2827545.dtOprWSSTW@techz> Hello Petr, Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: > On 23.6.2016 15:27, G?nther J. Niederwimmer wrote: > > Hello Martin, > > > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: > >> On 20.06.2016 18:48, G?nther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: > >>>> On 18.6.2016 15:03, G?nther J. Niederwimmer wrote: > >>>>> hello, > >>>>> > >>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > >>>>>> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: > >>>>>>> Hello, > >>>>>>> > >>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >>>>>>>> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: > >>>>>>>>> Hello List, > >>>>>>>>> > >>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>>>>>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: > >>>>>>>>>>>> Hello > >>>>>>>>>>>> > >>>>>>>>>>>> on my system the ods-exporter i mean have a problem. > >>>>>>>>>>>> > >>>>>>>>>>>> I have this in the logs > >>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>>>>>>>> > >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>>>>>>>> errors.ACIError(info=info) > >>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>>>>>>>> Insufficient > >>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>>>>>>>>>> GSS > >>>>>>>>>>>> failure. > >>>>>>>>>>>> Minor code may provide more information (Ticket expired) > >>>>>>>>>>> > >>>>>>>>>>> Here seems to be a reason why it failed. > >>>>>>>>>>> But I can't help you more. > >>>>>>>>>> > >>>>>>>>>> Lukas is right. Interesting, this should never happen :-) > >>>>>>>>> > >>>>>>>>> this have I also found ;-) > >>>>>>>>> > >>>>>>>>>> Please enable debugging using procedure > >>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o > >>>>>>>>>> r_ > >>>>>>>>>> re > >>>>>>>>>> tu > >>>>>>>>>> rn > >>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>>>>>>>> Thank you! > >>>>>>>>> > >>>>>>>>> OK, > >>>>>>>>> > >>>>>>>>> I attache the messages log? > >>>>>>>>> > >>>>>>>>> I mean this is a problem with my DNS ? > >>>>>>>> > >>>>>>>> Hello, > >>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? > >>>>>>>> > >>>>>>>> identity/services/ipa-ods-exported/ > >>>>>>>> There should be kerberos status in right top corner in details view > >>>>>>> > >>>>>>> I have a > >>>>>>> identity/services/ipa-ods-exporter/.. > >>>>>>> > >>>>>>> with a "Kerberos Key Present, Service Provisioned" > >>>>>>> > >>>>>>> but no Certificate ? > >>>>>> > >>>>>> Can you try, > >>>>>> > >>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > >>>>>> ipa-ods-exporter/$(hostname) > >>>>> > >>>>> OK > >>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- > >>>>> exporter/$(hostname)" > >>>>> > >>>>> written on one line!! is this OK. > >>>>> > >>>>>> and do ldapsearch > >>>>>> # ldapsearch -Y GSSAPI > >>>>> > >>>>> and also ldapsearch is OK > >>>>> > >>>>>> It should show us if keytab is okay > >>>>> > >>>>> But the Error is present :-(. > >>>> > >>>> We need to see precise error. Please copy&paste it into the e-mail. > >>> > >>> that is it. > >>> > >>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. > >>> > >>>> It would be awesome if you could follow general rules for bug > >>>> reporting: > >>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html > >>>> > >>>> Besides other things it would allow us to help you in shorter time. > >>>> > >>>> Have a nice day! > >> > >> This is weird, It looks like your kerberos keytab is valid, but I have > >> no idea why you are getting ticket expired messages. It should just > >> kinit again. > >> > >> Can you please remove this ccache file? > >> /var/opendnssec/tmp/ipa-ods-exporter.ccache > > > > OK now i make a ipactl stop remove the ccache file and start ipa again. > > > > to start the ods-exporte I have to wait a long time 1-2 min. ;-) > > > > I send you the log without debug when you like this with debug tell me. > > Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last): > > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- > > exporter", line 656, in > > Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind() > > Jun 23 14:57:56 ipa ipa-ods-exporter: File > > "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in > > gssapi_bind > > Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, > > client_controls) > > Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ > > contextlib.py", line 35, in __exit__ > > Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, > > traceback) Jun 23 14:57:56 ipa ipa-ods-exporter: File > > "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in > > error_handler > > Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) > > Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient > > access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > > Minor code may provide more information (Ticket expired) > > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process > > exited, > > code=exited, status=1/FAILURE > > Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed > > state. > > Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed. > > This is really weird, I have no idea what happened. We can try a big hammer: > Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g. > /etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT before I start a big hammer I tell you same things. I make now again ipactl status and found ipa-ods-exporter is not running (?). after a restart I found a lot of WARNINGS and Errors like this Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspResponderURL' to 'http://ipa.4gjn.com:9080/ ca/ocsp' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,- SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,- SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,- SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM org.apache.catalina.startup.SetAllPropertiesRule begin Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ssl3Ciphers' to '- SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA, +SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5, +SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,- SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,- SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,- SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'tlsCiphers' to '- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, +TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA, +TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA, +TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, +TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jul 7 10:40:08 ipa server: INFO: Initializing ProtocolHandler ["http- bio-8443"] Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS and what is with the memcached servers ? is this normal Jul 7 10:40:19 ipa ipa-dnskeysyncd: ipa: WARNING: session memcached servers not running Jul 7 10:40:19 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running > and re-run ipa-dns-install with the same options as you used for the first > time. It should re-create the keytab and all other things. I hope I remember ;-) OK, this is the next step. In the moment the DNS from ipa with DNSSEC is very unstable :-(. > I hope it will help. ;-) -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From rmj at ast.cam.ac.uk Thu Jul 7 09:37:48 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 7 Jul 2016 10:37:48 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> Message-ID: <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> On 05/07/16 11:52, Roderick Johnstone wrote: > On 04/07/2016 15:12, Martin Babinsky wrote: >> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>> Hi >>> >>> I installed my first master ipa server (server1) many months ago (Redhat >>> 7.1 IIRC) and made a replica server2 without problems. >>> >>> Now I'd like to bring online another replica (server3). >>> >>> All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, >>> but I get the following error when I run this on server1: >>> >>> server1> ipa-replica-prepare server3.example.com >>> >>> Directory Manager (existing master) password: >>> >>> Preparing replica for server3.example.com from server1.example.com >>> Creating SSL certificate for the Directory Server >>> Certificate issuance failed >>> >>> >>> If I repeat this on server2, my fist replica, it succeeds. >>> >>> Running in debug mode on server1: >>> server1> ipa-replica-prepare --debug server3.example.com >>> gives a lot of output of which the following seems relevant (some info >>> has been anonymised): >>> >>> Generating key. This may take a few moments... >>> >>> >>> ipa: DEBUG: request POST >>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>> ipa: DEBUG: request body >>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>> >>> >>> >>> ipa: DEBUG: NSSConnection init server1.example.com >>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>> ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM" >>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>> ipa: DEBUG: Protocol: TLS1.2 >>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> ipa: DEBUG: response status 200 >>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', >>> 'content-length': '161', 'content-type': 'application/xml', 'server': >>> 'Apache-Coyote/1.1'} >>> ipa: DEBUG: response body '>> standalone="no"?>1Server Internal >>> Error 3' >>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> return_value = self.run() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>> >>> >>> line 337, in run >>> self.copy_ds_certificate() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>> >>> >>> line 382, in copy_ds_certificate >>> self.export_certdb("dscert", passwd_fname) >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>> >>> >>> line 589, in export_certdb >>> db.create_server_cert(nickname, hostname, ca_db) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>> line 337, in create_server_cert >>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>> line 418, in issue_server_cert >>> raise RuntimeError("Certificate issuance failed") >>> >>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The >>> ipa-replica-prepare command failed, exception: RuntimeError: Certificate >>> issuance failed >>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>> Certificate issuance failed >>> >>> If its of relevance I did change the directory manager password on both >>> server1 and server2 a couple of weeks ago. >>> >>> I'd appreciate some pointers to resolving this. >>> >>> Thanks >>> >>> Roderick Johnstone >>> >> Hi Roderick, >> >> try to look in the logs of the pki-ca subsystem. They should be located >> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and >> "debug" logs mainly. >> > > Martin > > Thanks for the pointers. We had looked at a lot of log files, but not > those ones! > > We were running the ipa-replica-prepare during the afternoon of 1 July. > Here are the last few entries in the system log file. > > 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap > (bound) connection pool to host server1.example.com port 636, Cannot > connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error > creating JSS SSL Socket (-1) > 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] > CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the > internaldb. Error LDAP operation failure - > cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca > netscape.ldap.LDAPException: error result (1) > 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not > store certificate serial number 0x1 > 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not > store certificate serial number 0x2 > 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not > store certificate serial number 0x3 > 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not > store certificate serial number 0x1 > 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not > store certificate serial number 0x2 > 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not > store certificate serial number 0x3 > > > At corresponding times, in the debug logs there are entries like: > > [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure - > cn=1,ou=certificateRepository, ou=ca, o=ipaca > netscape.ldap.LDAPException: error result (68) > > [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: > submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, > o=ipaca netscape.ldap.LDAPException: error result (68) > > [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: SignedAuditEventFactory: > create() > message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server > Internal Error] certificate request processed > > And then in the dirsrv error file there seems to be one of these for > each of the attempts to run ipa-replica-prepare: > [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- > attribute "krbExtraData" not allowed > [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- > attribute "krbExtraData" not allowed > [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- > attribute "krbExtraData" not allowed > > Do you think this is looking like the root cause? Can you suggest how we > fix that? > > Thanks. > > Roderick > Hi Did anyone have any ideas on fixing this please. I'm a bit stuck now. Thanks Roderick From bcesarone156 at gmail.com Wed Jul 6 23:44:48 2016 From: bcesarone156 at gmail.com (Brad Cesarone) Date: Wed, 6 Jul 2016 18:44:48 -0500 Subject: [Freeipa-users] Sync & BaseDN change Message-ID: Hello I have two questions 1) Is it possible to sync/replicate with another ldap server? i.e Oracle Identity Manager 2) If #1 is true, is it possible to sync with two different suffixs? 3) Is it possible to either install IPA with a custom ldap Suffix or change the suffix once it is created? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jul 7 12:50:12 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jul 2016 14:50:12 +0200 Subject: [Freeipa-users] Sync & BaseDN change In-Reply-To: References: Message-ID: On 7.7.2016 01:44, Brad Cesarone wrote: > I have two questions > 1) Is it possible to sync/replicate with another ldap server? i.e Oracle > Identity Manager IPA provides one-time import script called ipa-migrate-ds, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/using-migrate-ds.html It does not have any run-time synchronization capabilities. > 2) If #1 is true, is it possible to sync with two different suffixs? No. > 3) Is it possible to either install IPA with a custom ldap Suffix or change > the suffix once it is created? No, the suffix is derived from Kerberos realm and stays the same for lifetime of the IPA installation. What are you trying to achieve? Maybe we can approach it from a different angle. -- Petr^2 Spacek From pspacek at redhat.com Thu Jul 7 12:53:08 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jul 2016 14:53:08 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <2827545.dtOprWSSTW@techz> References: <3253760.hiacI6SPC6@techz> <2310076.IhaplX0rCg@techz> <82a069e0-543e-f1bc-a36b-c93e8bcac686@redhat.com> <2827545.dtOprWSSTW@techz> Message-ID: <71229f30-7256-b744-b4f3-1d6b7268853a@redhat.com> On 7.7.2016 11:32, G?nther J. Niederwimmer wrote: > Hello Petr, > > Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: >> On 23.6.2016 15:27, G?nther J. Niederwimmer wrote: >>> Hello Martin, >>> >>> Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: >>>> On 20.06.2016 18:48, G?nther J. Niederwimmer wrote: >>>>> Hello, >>>>> >>>>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: >>>>>> On 18.6.2016 15:03, G?nther J. Niederwimmer wrote: >>>>>>> hello, >>>>>>> >>>>>>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: >>>>>>>> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: >>>>>>>>>> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: >>>>>>>>>>> Hello List, >>>>>>>>>>> >>>>>>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >>>>>>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>>>>>>>>>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >>>>>>>>>>>>>> Hello >>>>>>>>>>>>>> >>>>>>>>>>>>>> on my system the ods-exporter i mean have a problem. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have this in the logs >>>>>>>>>>>>>> CentOS 7.(2) ipa 4.3.1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise >>>>>>>>>>>>>> errors.ACIError(info=info) >>>>>>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>>>>>>>>>>>> Insufficient >>>>>>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>>>>>>>>>> GSS >>>>>>>>>>>>>> failure. >>>>>>>>>>>>>> Minor code may provide more information (Ticket expired) >>>>>>>>>>>>> >>>>>>>>>>>>> Here seems to be a reason why it failed. >>>>>>>>>>>>> But I can't help you more. >>>>>>>>>>>> >>>>>>>>>>>> Lukas is right. Interesting, this should never happen :-) >>>>>>>>>>> >>>>>>>>>>> this have I also found ;-) >>>>>>>>>>> >>>>>>>>>>>> Please enable debugging using procedure >>>>>>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_o >>>>>>>>>>>> r_ >>>>>>>>>>>> re >>>>>>>>>>>> tu >>>>>>>>>>>> rn >>>>>>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. >>>>>>>>>>>> Thank you! >>>>>>>>>>> >>>>>>>>>>> OK, >>>>>>>>>>> >>>>>>>>>>> I attache the messages log? >>>>>>>>>>> >>>>>>>>>>> I mean this is a problem with my DNS ? >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? >>>>>>>>>> >>>>>>>>>> identity/services/ipa-ods-exported/ >>>>>>>>>> There should be kerberos status in right top corner in details view >>>>>>>>> >>>>>>>>> I have a >>>>>>>>> identity/services/ipa-ods-exporter/.. >>>>>>>>> >>>>>>>>> with a "Kerberos Key Present, Service Provisioned" >>>>>>>>> >>>>>>>>> but no Certificate ? >>>>>>>> >>>>>>>> Can you try, >>>>>>>> >>>>>>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab >>>>>>>> ipa-ods-exporter/$(hostname) >>>>>>> >>>>>>> OK >>>>>>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- >>>>>>> exporter/$(hostname)" >>>>>>> >>>>>>> written on one line!! is this OK. >>>>>>> >>>>>>>> and do ldapsearch >>>>>>>> # ldapsearch -Y GSSAPI >>>>>>> >>>>>>> and also ldapsearch is OK >>>>>>> >>>>>>>> It should show us if keytab is okay >>>>>>> >>>>>>> But the Error is present :-(. >>>>>> >>>>>> We need to see precise error. Please copy&paste it into the e-mail. >>>>> >>>>> that is it. >>>>> >>>>> Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. >>>>> >>>>>> It would be awesome if you could follow general rules for bug >>>>>> reporting: >>>>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html >>>>>> >>>>>> Besides other things it would allow us to help you in shorter time. >>>>>> >>>>>> Have a nice day! >>>> >>>> This is weird, It looks like your kerberos keytab is valid, but I have >>>> no idea why you are getting ticket expired messages. It should just >>>> kinit again. >>>> >>>> Can you please remove this ccache file? >>>> /var/opendnssec/tmp/ipa-ods-exporter.ccache >>> >>> OK now i make a ipactl stop remove the ccache file and start ipa again. >>> >>> to start the ods-exporte I have to wait a long time 1-2 min. ;-) >>> >>> I send you the log without debug when you like this with debug tell me. >>> Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last): >>> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- >>> exporter", line 656, in >>> Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind() >>> Jun 23 14:57:56 ipa ipa-ods-exporter: File >>> "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in >>> gssapi_bind >>> Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, >>> client_controls) >>> Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ >>> contextlib.py", line 35, in __exit__ >>> Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, >>> traceback) Jun 23 14:57:56 ipa ipa-ods-exporter: File >>> "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in >>> error_handler >>> Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >>> Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient >>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (Ticket expired) >>> Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process >>> exited, >>> code=exited, status=1/FAILURE >>> Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed >>> state. >>> Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed. >> >> This is really weird, I have no idea what happened. We can try a big hammer: >> Rename file /etc/ipa/dnssec/ipa-ods-exporter.keytab to e.g. >> /etc/ipa/dnssec/ipa-ods-exporter.keytab.SUSPECT > > before I start a big hammer I tell you same things. > > I make now again ipactl status and found > ipa-ods-exporter is not running (?). > > after a restart I found a lot of WARNINGS and Errors like this > > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'enableOCSP' to 'false' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspResponderURL' to 'http://ipa.4gjn.com:9080/ > ca/ocsp' did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert > cert-pki-ca' did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a > matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a > matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ocspTimeout' to '10' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'strictCiphers' to 'true' did not find a matching > property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' > did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,- > SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,- > SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,- > SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. > Jul 7 10:40:07 ipa server: Jul 07, 2016 10:40:07 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'ssl3Ciphers' to '- > SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA, > +SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5, > +SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,- > SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,- > SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,- > SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,- > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did > not find a matching property. > Jul 7 10:40:07 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ > Connector} Setting property 'tlsCiphers' to '- > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, > +TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > +TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA, > +TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA, > +TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,- > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,- > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > +TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > +TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. > > Jul 7 10:40:08 ipa server: INFO: Initializing ProtocolHandler ["http- > bio-8443"] > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" > not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > Jul 7 10:40:08 ipa server: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Hmm, this might be interesting. Please open a ticket https://fedorahosted.org/freeipa/newticket and describe exact version of the packages (output from $ rpm -q) and how did you get to these messages. > and what is with the memcached servers ? is this normal > > Jul 7 10:40:19 ipa ipa-dnskeysyncd: ipa: WARNING: session memcached servers > not running > Jul 7 10:40:19 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers > not running You can ignore this, it is harmless and will be fixed later on. -- Petr^2 Spacek From mkosek at redhat.com Thu Jul 7 13:47:18 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 7 Jul 2016 15:47:18 +0200 Subject: [Freeipa-users] Replication time and relation to cache size In-Reply-To: References: Message-ID: <66a35011-22cd-99c8-6f47-c964e623ff57@redhat.com> On 06/21/2016 05:19 PM, Ash Alam wrote: > anyone have any thoughts on this? > > Thank You > > On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote: > > Hello > > I have been going through the lists but i have not found the answer i am > looking for. I am seeing few issues for which i am looking for some > clarification. > > 1. What is the relationship between replication time and cache size? > > - I am noticing that it's taking up to 5 minutes for some things to > replication when change is made on one node and there are two additional > masters. The ipa nodes are all virtual machines within the same cluster. > > - WARNING: changelog: entry cache size 2097152B is less than db size > 116154368B; We recommend to increase the entry cache size nsslapd-cachememsize. > > - I don't understand the cache size. Would't increasing it cause the same > issue when we hit the new limit? > > - connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max > allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in > cn=config to increase. > > > 2. Is there a definitive solution to this error? This seems to pop up every > so often. > > - NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning: > Attempting to release replica, but unable to receive endReplication extended Hi Ash, I see no reply, let me try and hook Thierry/Ludwig, they should know more. Martin P.S. sorry for the delay, most of FreeIPA core developers were focused on getting FreeIPA 4.4 out of the door. From mkosek at redhat.com Thu Jul 7 13:52:15 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 7 Jul 2016 15:52:15 +0200 Subject: [Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD In-Reply-To: References: Message-ID: <1dd923c1-1c27-ea8b-f0c9-1d81059725ae@redhat.com> On 06/26/2016 06:57 PM, Supratik Goswami wrote: > Hi > > I am using ipa-server-4.2.0 in my environment, it is having winsync agreement > with the AD server. > I want to move all new users to "Stage Users" state automatically when they are > synced from the AD, can anyone please guide me on how to achieve it? > > Any help is highly appreciated. > > -- > Warm Regards Hi Supratik, This is not possible at the moment - this is an RFE. Please feel free to file an upstream ticket, I assume it should be doable. Please just note you would probably need to contribute patches to make this working as winsync is not a priority for most of the core developers, AD Trust is. Thanks, Martin From rcritten at redhat.com Thu Jul 7 14:02:14 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 7 Jul 2016 10:02:14 -0400 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> Message-ID: <577E60E6.90901@redhat.com> Roderick Johnstone wrote: > On 05/07/16 11:52, Roderick Johnstone wrote: >> On 04/07/2016 15:12, Martin Babinsky wrote: >>> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>>> Hi >>>> >>>> I installed my first master ipa server (server1) many months ago >>>> (Redhat >>>> 7.1 IIRC) and made a replica server2 without problems. >>>> >>>> Now I'd like to bring online another replica (server3). >>>> >>>> All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, >>>> but I get the following error when I run this on server1: >>>> >>>> server1> ipa-replica-prepare server3.example.com >>>> >>>> Directory Manager (existing master) password: >>>> >>>> Preparing replica for server3.example.com from server1.example.com >>>> Creating SSL certificate for the Directory Server >>>> Certificate issuance failed >>>> >>>> >>>> If I repeat this on server2, my fist replica, it succeeds. >>>> >>>> Running in debug mode on server1: >>>> server1> ipa-replica-prepare --debug server3.example.com >>>> gives a lot of output of which the following seems relevant (some info >>>> has been anonymised): >>>> >>>> Generating key. This may take a few moments... >>>> >>>> >>>> ipa: DEBUG: request POST >>>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>>> ipa: DEBUG: request body >>>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>>> >>>> >>>> >>>> >>>> ipa: DEBUG: NSSConnection init server1.example.com >>>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>>> ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM" >>>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>>> ipa: DEBUG: Protocol: TLS1.2 >>>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>> ipa: DEBUG: response status 200 >>>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', >>>> 'content-length': '161', 'content-type': 'application/xml', 'server': >>>> 'Apache-Coyote/1.1'} >>>> ipa: DEBUG: response body '>>> standalone="no"?>1Server Internal >>>> Error 3' >>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>>> execute >>>> return_value = self.run() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>> >>>> >>>> >>>> line 337, in run >>>> self.copy_ds_certificate() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>> >>>> >>>> >>>> line 382, in copy_ds_certificate >>>> self.export_certdb("dscert", passwd_fname) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>> >>>> >>>> >>>> line 589, in export_certdb >>>> db.create_server_cert(nickname, hostname, ca_db) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>> line 337, in create_server_cert >>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>> line 418, in issue_server_cert >>>> raise RuntimeError("Certificate issuance failed") >>>> >>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The >>>> ipa-replica-prepare command failed, exception: RuntimeError: >>>> Certificate >>>> issuance failed >>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>>> Certificate issuance failed >>>> >>>> If its of relevance I did change the directory manager password on both >>>> server1 and server2 a couple of weeks ago. >>>> >>>> I'd appreciate some pointers to resolving this. >>>> >>>> Thanks >>>> >>>> Roderick Johnstone >>>> >>> Hi Roderick, >>> >>> try to look in the logs of the pki-ca subsystem. They should be located >>> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and >>> "debug" logs mainly. >>> >> >> Martin >> >> Thanks for the pointers. We had looked at a lot of log files, but not >> those ones! >> >> We were running the ipa-replica-prepare during the afternoon of 1 July. >> Here are the last few entries in the system log file. >> >> 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap >> (bound) connection pool to host server1.example.com port 636, Cannot >> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error >> creating JSS SSL Socket (-1) >> 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] >> CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the >> internaldb. Error LDAP operation failure - >> cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca >> netscape.ldap.LDAPException: error result (1) >> 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not >> store certificate serial number 0x1 >> 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not >> store certificate serial number 0x2 >> 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not >> store certificate serial number 0x3 >> 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not >> store certificate serial number 0x1 >> 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not >> store certificate serial number 0x2 >> 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not >> store certificate serial number 0x3 >> >> >> At corresponding times, in the debug logs there are entries like: >> >> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure - >> cn=1,ou=certificateRepository, ou=ca, o=ipaca >> netscape.ldap.LDAPException: error result (68) >> >> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: >> submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, >> o=ipaca netscape.ldap.LDAPException: error result (68) >> >> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: SignedAuditEventFactory: >> create() >> message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server >> >> Internal Error] certificate request processed >> >> And then in the dirsrv error file there seems to be one of these for >> each of the attempts to run ipa-replica-prepare: >> [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >> attribute "krbExtraData" not allowed >> [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >> attribute "krbExtraData" not allowed >> [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >> attribute "krbExtraData" not allowed >> >> Do you think this is looking like the root cause? Can you suggest how we >> fix that? >> >> Thanks. >> >> Roderick >> > > Hi > > Did anyone have any ideas on fixing this please. I'm a bit stuck now. When you changed the DM passwords did you follow this, http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password rob From pspacek at redhat.com Thu Jul 7 14:28:52 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 7 Jul 2016 16:28:52 +0200 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: <21214622-2D27-4C44-A391-4500497776BD@border.nuneshiggs.com> References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> <895FA1EB-17EB-4ADC-8CE5-008A740ACB3D@border.nuneshiggs.com> <9d28e841-f8e1-0bce-f32c-d75b8c790965@redhat.com> <21214622-2D27-4C44-A391-4500497776BD@border.nuneshiggs.com> Message-ID: <4817a9d3-c18d-90eb-5ed2-0fe6e75c2c70@redhat.com> On 15.6.2016 09:37, Nuno Higgs wrote: > Hello Petr, > > [root at slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support > > It?s empty. Interesting. At this point I'm unable to say what happened to your install. If it happens again please get back to us and we will investigate. Petr^2 Spacek > > Thanks > Nuno > >> On 15 Jun 2016, at 07:45, Petr Spacek wrote: >> >> On 14.6.2016 17:29, Nuno Higgs wrote: >>> Hello, >>> >>> I am running CentOS7: >>> >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> I configured my dos forward when i did the install process of the secondary node of IPA: >>> >>> [root at slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg >> >> Interesting, 4.2.0 should checks to detect this problem. >> >> Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC? >> >> It should be something like >> "DNS server does not support DNSSEC" >> >> Thanks. >> >> Petr^2 Spacek >> >> >>> >>> Thanks, >>> Nuno >>> >>>> On 14 Jun 2016, at 15:28, Petr Spacek wrote: >>>> >>>> On 14.6.2016 13:01, Nuno Higgs wrote: >>>>> Hello, >>>>> >>>>> Found it: >>>>> >>>>> It appears that my forwarder is NOT DNSSEC happy: >>>>> >>>>> in: /var/named/data/named.run >>>>> >>>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure >>>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >>>>> >>>>> So, i changed the /etc/named.conf >>>>> >>>>> from: >>>>> >>>>> dnssec-enable yes; >>>>> dnssec-validation yes; >>>>> >>>>> to: >>>>> >>>>> dnssec-enable yes; >>>>> dnssec-validation no; >>>>> >>>>> Everything is working fine now. >>>> >>>> Okay, it explains a lot. >>>> >>>> Please note that configuration "dnssec-validation no;" lowers security bar for >>>> attackers and is strongly discouraged! >>>> >>>> The issue is most likely caused by non-compliant forwarder which mangles DNS >>>> data somehow before they reach your IPA DNS server. >>>> >>>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is >>>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend >>>> returning back to "dnssec-validation yes;" after fixing the forwarder config. >>>> >>>> IPA 4.3 or newer should print a warning about such broken forwarders whenever >>>> you try to configure them using IPA commands. >>>> >>>> What version of IPA do you use? >>>> >>>> How did you configure the forwarder in IPA? >>>> >>>> Petr^2 Spacek >>>> >>>>> >>>>> Thanks for your help! >>>>> Nuno >>>>> >>>>>> On 13 Jun 2016, at 10:14, Nuno Higgs wrote: >>>>>> >>>>>> Hello again, >>>>>> >>>>>> [root at ipa01 ~]# kinit user >>>>>> Password for user at DOMAIN.LOCAL: >>>>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu >>>>>> Zone name: domain.eu. >>>>>> Active zone: TRUE >>>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>>> Forward policy: only >>>>>> [root at ipa01 ~]# >>>>>> >>>>>> >>>>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu >>>>>> Zone name: domain.eu. >>>>>> Active zone: TRUE >>>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>>> Forward policy: only >>>>>> [root at ipa02 ~]# >>>>>> >>>>>> On both servers the return is the same. >>>>>> I haven't touched the DNS config besides deleting the zone and recreating >>>>>> it. >>>>>> >>>>>> I am at a loss. What can be the issue here? >>>>>> >>>>>> Thanks, >>>>>> Nuno >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: freeipa-users-bounces at redhat.com >>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>>>>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>>>>> To: freeipa-users at redhat.com >>>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>>>>> >>>>>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>>>>> geographic replication. >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have added it as stated in the documentation here: >>>>>>> >>>>>> x/7/ht >>>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>>>>> replic >>>>>>> a.html#replica-install-with-dns> >>>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>>>>> /7/htm >>>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>>>>> eplica >>>>>>> .html#replica-install-with-dns >>>>>>> >>>>>>> >>>>>>> >>>>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with >>>>>>> success within the replica. >>>>>>> >>>>>>> However there is a problem with the DNS sections: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Although it DNS is ok, my configuration within IPA on the first server >>>>>>> regarding DNS zones that are set on forward only are not. >>>>>>> >>>>>>> In my first server, i can do a forward of domain - let's say >>>>>>> domain.eu. On the second server (replica) the >>>>>>> forward is shown configured correctly within the webgui but it does >>>>>>> not work, giving a NX error on query >>>>>>> www.domain.eu (the A Record exists and is shown on the first server). >>>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>>>>> isn't a network permissions issue. >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have deleted the zone on the master (and replica), and recreated it. >>>>>>> On the first server, it worked fine. On the replica the problem persisted. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>>>>> something? >>>>>> >>>>>> Hello, >>>>>> >>>>>> it could be either a DNS configuration problem or a LDAP replication >>>>>> problem. >>>>>> >>>>>> Please show us output from command: >>>>>> $ ipa dnsforwardzone-show domain.eu >>>>>> from all IPA servers you have. >>>>>> >>>>>> The output should be the same. If it is not the same then you are most >>>>>> likely facing an replication problem, please see >>>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek From tbordaz at redhat.com Thu Jul 7 14:45:16 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 7 Jul 2016 16:45:16 +0200 Subject: [Freeipa-users] Replication time and relation to cache size In-Reply-To: <66a35011-22cd-99c8-6f47-c964e623ff57@redhat.com> References: <66a35011-22cd-99c8-6f47-c964e623ff57@redhat.com> Message-ID: <577E6AFC.2090502@redhat.com> On 07/07/2016 03:47 PM, Martin Kosek wrote: > On 06/21/2016 05:19 PM, Ash Alam wrote: >> anyone have any thoughts on this? >> >> Thank You >> >> On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > > wrote: >> >> Hello >> >> I have been going through the lists but i have not found the answer i am >> looking for. I am seeing few issues for which i am looking for some >> clarification. >> >> 1. What is the relationship between replication time and cache size? >> >> - I am noticing that it's taking up to 5 minutes for some things to >> replication when change is made on one node and there are two additional >> masters. The ipa nodes are all virtual machines within the same cluster. Hi Ash, There is no direct relation between replication time (latency) and the cache size. But it is possible that with a greater cache, processing of the replicated updates will be faster. Now many parameters can explain latency (power of the boxes, masters competing for exclusive access to a replica, many updates filtered before sending one...) The latency was greatly reduced since 1.3.5.4. >> >> - WARNING: changelog: entry cache size 2097152B is less than db size >> 116154368B; We recommend to increase the entry cache size nsslapd-cachememsize. This warning is generic for all suffixes. Now changelog is a special suffix and a small entry cache should not create any issue. >> >> - I don't understand the cache size. Would't increasing it cause the same >> issue when we hit the new limit? To process an entry (search/update), the entry is loaded in memory into a cache. The entry remains in the cache until it needs space to load others entries. The cache is always full and this does not create any issue. If you have a small database and all the entries can fit in the cache, it worth testing with a large cache. Otherwise a cache of [100-200] Mb is most of the time a good tuning. >> >> - connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max >> allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in >> cn=config to increase. It comes from a failure (overflow) to decode a ber (ber_get_next). The maxbersize is 200Mb that looks large enough to handle any req. Is it a frequent issue ? Is there any network issue ? >> >> 2. Is there a definitive solution to this error? This seems to pop up every >> so often. >> >> - NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning: >> Attempting to release replica, but unable to receive endReplication extended This message comes from a replica agreement that is responsible to replicate updates to an other DS instance (ipa0009). When this replica agreement has no more update to send, it send an 'endReplication' and expects a response (from ipa0009). Here for some reason, ipa0009 is not responding. You may check the error logs. > Hi Ash, > > I see no reply, let me try and hook Thierry/Ludwig, they should know more. > > Martin > > P.S. sorry for the delay, most of FreeIPA core developers were focused on > getting FreeIPA 4.4 out of the door. From rmj at ast.cam.ac.uk Thu Jul 7 15:09:03 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 7 Jul 2016 16:09:03 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <577E60E6.90901@redhat.com> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> <577E60E6.90901@redhat.com> Message-ID: <6ff02870-3319-7ebc-6d3c-4e857b22e457@ast.cam.ac.uk> On 07/07/16 15:02, Rob Crittenden wrote: > Roderick Johnstone wrote: >> On 05/07/16 11:52, Roderick Johnstone wrote: >>> On 04/07/2016 15:12, Martin Babinsky wrote: >>>> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>>>> Hi >>>>> >>>>> I installed my first master ipa server (server1) many months ago >>>>> (Redhat >>>>> 7.1 IIRC) and made a replica server2 without problems. >>>>> >>>>> Now I'd like to bring online another replica (server3). >>>>> >>>>> All servers are now on Redhat 7.2 ipa-server-4.2.0-15.el7_2.17.x86_64, >>>>> but I get the following error when I run this on server1: >>>>> >>>>> server1> ipa-replica-prepare server3.example.com >>>>> >>>>> Directory Manager (existing master) password: >>>>> >>>>> Preparing replica for server3.example.com from server1.example.com >>>>> Creating SSL certificate for the Directory Server >>>>> Certificate issuance failed >>>>> >>>>> >>>>> If I repeat this on server2, my fist replica, it succeeds. >>>>> >>>>> Running in debug mode on server1: >>>>> server1> ipa-replica-prepare --debug server3.example.com >>>>> gives a lot of output of which the following seems relevant (some info >>>>> has been anonymised): >>>>> >>>>> Generating key. This may take a few moments... >>>>> >>>>> >>>>> ipa: DEBUG: request POST >>>>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>>>> ipa: DEBUG: request body >>>>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ipa: DEBUG: NSSConnection init server1.example.com >>>>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>>>> ipa: DEBUG: cert valid True for "CN=server1.example.com,O=EXAMPLE.COM" >>>>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>>>> ipa: DEBUG: Protocol: TLS1.2 >>>>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>> ipa: DEBUG: response status 200 >>>>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 GMT', >>>>> 'content-length': '161', 'content-type': 'application/xml', 'server': >>>>> 'Apache-Coyote/1.1'} >>>>> ipa: DEBUG: response body '>>>> standalone="no"?>1Server Internal >>>>> Error 3' >>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>> 171, in >>>>> execute >>>>> return_value = self.run() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>> >>>>> >>>>> >>>>> >>>>> line 337, in run >>>>> self.copy_ds_certificate() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>> >>>>> >>>>> >>>>> >>>>> line 382, in copy_ds_certificate >>>>> self.export_certdb("dscert", passwd_fname) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>> >>>>> >>>>> >>>>> >>>>> line 589, in export_certdb >>>>> db.create_server_cert(nickname, hostname, ca_db) >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>> line 337, in create_server_cert >>>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>> line 418, in issue_server_cert >>>>> raise RuntimeError("Certificate issuance failed") >>>>> >>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The >>>>> ipa-replica-prepare command failed, exception: RuntimeError: >>>>> Certificate >>>>> issuance failed >>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>>>> Certificate issuance failed >>>>> >>>>> If its of relevance I did change the directory manager password on >>>>> both >>>>> server1 and server2 a couple of weeks ago. >>>>> >>>>> I'd appreciate some pointers to resolving this. >>>>> >>>>> Thanks >>>>> >>>>> Roderick Johnstone >>>>> >>>> Hi Roderick, >>>> >>>> try to look in the logs of the pki-ca subsystem. They should be located >>>> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and >>>> "debug" logs mainly. >>>> >>> >>> Martin >>> >>> Thanks for the pointers. We had looked at a lot of log files, but not >>> those ones! >>> >>> We were running the ipa-replica-prepare during the afternoon of 1 July. >>> Here are the last few entries in the system log file. >>> >>> 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap >>> (bound) connection pool to host server1.example.com port 636, Cannot >>> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error >>> creating JSS SSL Socket (-1) >>> 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] >>> CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the >>> internaldb. Error LDAP operation failure - >>> cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca >>> netscape.ldap.LDAPException: error result (1) >>> 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not >>> store certificate serial number 0x1 >>> 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not >>> store certificate serial number 0x2 >>> 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not >>> store certificate serial number 0x3 >>> 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not >>> store certificate serial number 0x1 >>> 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not >>> store certificate serial number 0x2 >>> 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not >>> store certificate serial number 0x3 >>> >>> >>> At corresponding times, in the debug logs there are entries like: >>> >>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure - >>> cn=1,ou=certificateRepository, ou=ca, o=ipaca >>> netscape.ldap.LDAPException: error result (68) >>> >>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: >>> submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, >>> o=ipaca netscape.ldap.LDAPException: error result (68) >>> >>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: SignedAuditEventFactory: >>> create() >>> message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server >>> >>> >>> Internal Error] certificate request processed >>> >>> And then in the dirsrv error file there seems to be one of these for >>> each of the attempts to run ipa-replica-prepare: >>> [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>> attribute "krbExtraData" not allowed >>> [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>> attribute "krbExtraData" not allowed >>> [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>> attribute "krbExtraData" not allowed >>> >>> Do you think this is looking like the root cause? Can you suggest how we >>> fix that? >>> >>> Thanks. >>> >>> Roderick >>> >> >> Hi >> >> Did anyone have any ideas on fixing this please. I'm a bit stuck now. > > When you changed the DM passwords did you follow this, > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > rob Hi Rob Well, yes, but I did nothing because I read that page to say that nothing needed doing becuase our server was on freeipa 4.2.0 (Redhat 7.2) and the procedure is automated for that version freeipa 3.3.2. Did I misunderstand that? Roderick From prashant at apigee.com Thu Jul 7 15:19:43 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 7 Jul 2016 20:49:43 +0530 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: References: Message-ID: Anyone ?! On 6 July 2016 at 22:36, Prashant Bapat wrote: > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have created a sysaccount which does the > lookup etc for a user and things are working as expected. I'm even able to > use OTP from the external app. > > One problem I'm struggling to fix is the expired passwords. Is there a way > to deny bind to LDAP only from this application? Obviously the user would > need to go to IPA's web UI and reset his password there. > > I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 > but looks like this is an old one. > > Thanks. > --Prashant > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jul 7 15:30:26 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Jul 2016 17:30:26 +0200 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <6ff02870-3319-7ebc-6d3c-4e857b22e457@ast.cam.ac.uk> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> <577E60E6.90901@redhat.com> <6ff02870-3319-7ebc-6d3c-4e857b22e457@ast.cam.ac.uk> Message-ID: On 07/07/2016 05:09 PM, Roderick Johnstone wrote: > On 07/07/16 15:02, Rob Crittenden wrote: >> Roderick Johnstone wrote: >>> On 05/07/16 11:52, Roderick Johnstone wrote: >>>> On 04/07/2016 15:12, Martin Babinsky wrote: >>>>> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>>>>> Hi >>>>>> >>>>>> I installed my first master ipa server (server1) many months ago >>>>>> (Redhat >>>>>> 7.1 IIRC) and made a replica server2 without problems. >>>>>> >>>>>> Now I'd like to bring online another replica (server3). >>>>>> >>>>>> All servers are now on Redhat 7.2 >>>>>> ipa-server-4.2.0-15.el7_2.17.x86_64, >>>>>> but I get the following error when I run this on server1: >>>>>> >>>>>> server1> ipa-replica-prepare server3.example.com >>>>>> >>>>>> Directory Manager (existing master) password: >>>>>> >>>>>> Preparing replica for server3.example.com from server1.example.com >>>>>> Creating SSL certificate for the Directory Server >>>>>> Certificate issuance failed >>>>>> >>>>>> >>>>>> If I repeat this on server2, my fist replica, it succeeds. >>>>>> >>>>>> Running in debug mode on server1: >>>>>> server1> ipa-replica-prepare --debug server3.example.com >>>>>> gives a lot of output of which the following seems relevant (some >>>>>> info >>>>>> has been anonymised): >>>>>> >>>>>> Generating key. This may take a few moments... >>>>>> >>>>>> >>>>>> ipa: DEBUG: request POST >>>>>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>>>>> ipa: DEBUG: request body >>>>>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ipa: DEBUG: NSSConnection init server1.example.com >>>>>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>>>>> ipa: DEBUG: cert valid True for >>>>>> "CN=server1.example.com,O=EXAMPLE.COM" >>>>>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>>>>> ipa: DEBUG: Protocol: TLS1.2 >>>>>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>>> ipa: DEBUG: response status 200 >>>>>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 >>>>>> GMT', >>>>>> 'content-length': '161', 'content-type': 'application/xml', 'server': >>>>>> 'Apache-Coyote/1.1'} >>>>>> ipa: DEBUG: response body '>>>>> standalone="no"?>1Server >>>>>> Internal >>>>>> Error 3' >>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>>> 171, in >>>>>> execute >>>>>> return_value = self.run() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> line 337, in run >>>>>> self.copy_ds_certificate() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> line 382, in copy_ds_certificate >>>>>> self.export_certdb("dscert", passwd_fname) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> line 589, in export_certdb >>>>>> db.create_server_cert(nickname, hostname, ca_db) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>> line 337, in create_server_cert >>>>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>> line 418, in issue_server_cert >>>>>> raise RuntimeError("Certificate issuance failed") >>>>>> >>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The >>>>>> ipa-replica-prepare command failed, exception: RuntimeError: >>>>>> Certificate >>>>>> issuance failed >>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>>>>> Certificate issuance failed >>>>>> >>>>>> If its of relevance I did change the directory manager password on >>>>>> both >>>>>> server1 and server2 a couple of weeks ago. >>>>>> >>>>>> I'd appreciate some pointers to resolving this. >>>>>> >>>>>> Thanks >>>>>> >>>>>> Roderick Johnstone >>>>>> >>>>> Hi Roderick, >>>>> >>>>> try to look in the logs of the pki-ca subsystem. They should be >>>>> located >>>>> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and >>>>> "debug" logs mainly. >>>>> >>>> >>>> Martin >>>> >>>> Thanks for the pointers. We had looked at a lot of log files, but not >>>> those ones! >>>> >>>> We were running the ipa-replica-prepare during the afternoon of 1 July. >>>> Here are the last few entries in the system log file. >>>> >>>> 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap >>>> (bound) connection pool to host server1.example.com port 636, Cannot >>>> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error >>>> creating JSS SSL Socket (-1) >>>> 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] >>>> CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the >>>> internaldb. Error LDAP operation failure - >>>> cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca >>>> netscape.ldap.LDAPException: error result (1) >>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not >>>> store certificate serial number 0x1 >>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not >>>> store certificate serial number 0x2 >>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not >>>> store certificate serial number 0x3 >>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not >>>> store certificate serial number 0x1 >>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not >>>> store certificate serial number 0x2 >>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not >>>> store certificate serial number 0x3 >>>> >>>> >>>> At corresponding times, in the debug logs there are entries like: >>>> >>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure - >>>> cn=1,ou=certificateRepository, ou=ca, o=ipaca >>>> netscape.ldap.LDAPException: error result (68) >>>> >>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: >>>> submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, >>>> o=ipaca netscape.ldap.LDAPException: error result (68) >>>> >>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: SignedAuditEventFactory: >>>> create() >>>> message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server >>>> >>>> >>>> >>>> Internal Error] certificate request processed >>>> >>>> And then in the dirsrv error file there seems to be one of these for >>>> each of the attempts to run ipa-replica-prepare: >>>> [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>> attribute "krbExtraData" not allowed >>>> [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>> attribute "krbExtraData" not allowed >>>> [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>> attribute "krbExtraData" not allowed >>>> >>>> Do you think this is looking like the root cause? Can you suggest >>>> how we >>>> fix that? >>>> >>>> Thanks. >>>> >>>> Roderick >>>> >>> >>> Hi >>> >>> Did anyone have any ideas on fixing this please. I'm a bit stuck now. >> >> When you changed the DM passwords did you follow this, >> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >> >> rob > > Hi Rob > > Well, yes, but I did nothing because I read that page to say that > nothing needed doing becuase our server was on freeipa 4.2.0 (Redhat > 7.2) and the procedure is automated for that version freeipa 3.3.2. > > Did I misunderstand that? > > Roderick > Roderick, could you attach also snipped of dirsrv access log around the time you see the "attribute "krbExtraData" not allowed" error? After that, could you try to do step 3 of http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password to check if the automatic password change which is done in ipa-replica-prepare failed. And if it is therefore the root cause. -- Petr Vobornik From pvoborni at redhat.com Thu Jul 7 16:06:57 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Jul 2016 18:06:57 +0200 Subject: [Freeipa-users] Problem with properly removing replica master from cluster In-Reply-To: <3185B8E3-7AFF-46E2-8A50-B77A554A2D7A@uni.lu> References: <3185B8E3-7AFF-46E2-8A50-B77A554A2D7A@uni.lu> Message-ID: On 07/04/2016 05:54 PM, Christophe TREFOIS wrote: > Dear all, > > First of all, thanks to mbasti for helping out so far. > > We have a 3-node master cluster (?setup-ca) on 4.1 and setup a 4th using 4.2.0 as we want to migrate there. > > First, we had some orphan entries in ipa-replica-manage list. We removed those by manually removing the LDAP node + children in cn=etc,cn=ipa,cn=masters. > Then, we saw that there is still an orphan entry here: > > ldapsearch -xLLL -D "cn=directory manager" -W -b dc=uni,dc=lu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))? > > In particular, there is one ghost entry for nsDS5ReplicaBindDN > > This is the details of ldapsearch -x -D 'cn=directory manager' -W -b 'cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config' > > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat, csusers, config > dn: cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers > ,cn=config > objectClass: top > objectClass: person > cn: Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat > sn: manager > userPassword:: **REMOVED** > = > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > In addition, in slapd error log, i periodically (every 5 mins) see the following errors: > > [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. > [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. > [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. > > Could anybody help me to clean up the orphaned master replica (that is dead) and also tell if these attr_replace errors are related? Hello Christophe, this is result of not running `ipa-csreplica-manage del` prior running `ipa-replica-manage del` or `ipa-server-install --uninstall`. Solution is described at: https://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > > Thank you for your help in this, > > Kind regards, > > ? > Christophe > > -- Petr Vobornik From rmj at ast.cam.ac.uk Thu Jul 7 17:06:38 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 7 Jul 2016 18:06:38 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> <577E60E6.90901@redhat.com> <6ff02870-3319-7ebc-6d3c-4e857b22e457@ast.cam.ac.uk> Message-ID: On 07/07/16 16:30, Petr Vobornik wrote: > On 07/07/2016 05:09 PM, Roderick Johnstone wrote: >> On 07/07/16 15:02, Rob Crittenden wrote: >>> Roderick Johnstone wrote: >>>> On 05/07/16 11:52, Roderick Johnstone wrote: >>>>> On 04/07/2016 15:12, Martin Babinsky wrote: >>>>>> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>>>>>> Hi >>>>>>> >>>>>>> I installed my first master ipa server (server1) many months ago >>>>>>> (Redhat >>>>>>> 7.1 IIRC) and made a replica server2 without problems. >>>>>>> >>>>>>> Now I'd like to bring online another replica (server3). >>>>>>> >>>>>>> All servers are now on Redhat 7.2 >>>>>>> ipa-server-4.2.0-15.el7_2.17.x86_64, >>>>>>> but I get the following error when I run this on server1: >>>>>>> >>>>>>> server1> ipa-replica-prepare server3.example.com >>>>>>> >>>>>>> Directory Manager (existing master) password: >>>>>>> >>>>>>> Preparing replica for server3.example.com from server1.example.com >>>>>>> Creating SSL certificate for the Directory Server >>>>>>> Certificate issuance failed >>>>>>> >>>>>>> >>>>>>> If I repeat this on server2, my fist replica, it succeeds. >>>>>>> >>>>>>> Running in debug mode on server1: >>>>>>> server1> ipa-replica-prepare --debug server3.example.com >>>>>>> gives a lot of output of which the following seems relevant (some >>>>>>> info >>>>>>> has been anonymised): >>>>>>> >>>>>>> Generating key. This may take a few moments... >>>>>>> >>>>>>> >>>>>>> ipa: DEBUG: request POST >>>>>>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>>>>>> ipa: DEBUG: request body >>>>>>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ipa: DEBUG: NSSConnection init server1.example.com >>>>>>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>>>>>> ipa: DEBUG: cert valid True for >>>>>>> "CN=server1.example.com,O=EXAMPLE.COM" >>>>>>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>>>>>> ipa: DEBUG: Protocol: TLS1.2 >>>>>>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>>>> ipa: DEBUG: response status 200 >>>>>>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 >>>>>>> GMT', >>>>>>> 'content-length': '161', 'content-type': 'application/xml', >>>>>>> 'server': >>>>>>> 'Apache-Coyote/1.1'} >>>>>>> ipa: DEBUG: response body '>>>>>> standalone="no"?>1Server >>>>>>> Internal >>>>>>> Error 3' >>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>>>> 171, in >>>>>>> execute >>>>>>> return_value = self.run() >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> line 337, in run >>>>>>> self.copy_ds_certificate() >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> line 382, in copy_ds_certificate >>>>>>> self.export_certdb("dscert", passwd_fname) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> line 589, in export_certdb >>>>>>> db.create_server_cert(nickname, hostname, ca_db) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>> line 337, in create_server_cert >>>>>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>> line 418, in issue_server_cert >>>>>>> raise RuntimeError("Certificate issuance failed") >>>>>>> >>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The >>>>>>> ipa-replica-prepare command failed, exception: RuntimeError: >>>>>>> Certificate >>>>>>> issuance failed >>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>>>>>> Certificate issuance failed >>>>>>> >>>>>>> If its of relevance I did change the directory manager password on >>>>>>> both >>>>>>> server1 and server2 a couple of weeks ago. >>>>>>> >>>>>>> I'd appreciate some pointers to resolving this. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Roderick Johnstone >>>>>>> >>>>>> Hi Roderick, >>>>>> >>>>>> try to look in the logs of the pki-ca subsystem. They should be >>>>>> located >>>>>> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and >>>>>> "debug" logs mainly. >>>>>> >>>>> >>>>> Martin >>>>> >>>>> Thanks for the pointers. We had looked at a lot of log files, but not >>>>> those ones! >>>>> >>>>> We were running the ipa-replica-prepare during the afternoon of 1 >>>>> July. >>>>> Here are the last few entries in the system log file. >>>>> >>>>> 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap >>>>> (bound) connection pool to host server1.example.com port 636, Cannot >>>>> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error >>>>> creating JSS SSL Socket (-1) >>>>> 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] >>>>> CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the >>>>> internaldb. Error LDAP operation failure - >>>>> cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca >>>>> netscape.ldap.LDAPException: error result (1) >>>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not >>>>> store certificate serial number 0x1 >>>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not >>>>> store certificate serial number 0x2 >>>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not >>>>> store certificate serial number 0x3 >>>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not >>>>> store certificate serial number 0x1 >>>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not >>>>> store certificate serial number 0x2 >>>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not >>>>> store certificate serial number 0x3 >>>>> >>>>> >>>>> At corresponding times, in the debug logs there are entries like: >>>>> >>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation failure - >>>>> cn=1,ou=certificateRepository, ou=ca, o=ipaca >>>>> netscape.ldap.LDAPException: error result (68) >>>>> >>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: >>>>> submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, >>>>> o=ipaca netscape.ldap.LDAPException: error result (68) >>>>> >>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: SignedAuditEventFactory: >>>>> create() >>>>> message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server >>>>> >>>>> >>>>> >>>>> >>>>> Internal Error] certificate request processed >>>>> >>>>> And then in the dirsrv error file there seems to be one of these for >>>>> each of the attempts to run ipa-replica-prepare: >>>>> [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>>> attribute "krbExtraData" not allowed >>>>> [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>>> attribute "krbExtraData" not allowed >>>>> [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>>> attribute "krbExtraData" not allowed >>>>> >>>>> Do you think this is looking like the root cause? Can you suggest >>>>> how we >>>>> fix that? >>>>> >>>>> Thanks. >>>>> >>>>> Roderick >>>>> >>>> >>>> Hi >>>> >>>> Did anyone have any ideas on fixing this please. I'm a bit stuck now. >>> >>> When you changed the DM passwords did you follow this, >>> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >>> >>> rob >> >> Hi Rob >> >> Well, yes, but I did nothing because I read that page to say that >> nothing needed doing becuase our server was on freeipa 4.2.0 (Redhat >> 7.2) and the procedure is automated for that version freeipa 3.3.2. >> >> Did I misunderstand that? >> >> Roderick >> > Hi Petr > Roderick, could you attach also snipped of dirsrv access log around the > time you see the "attribute "krbExtraData" not allowed" error? Would it be ok to send you this off-list? There is some stuff that identifies our domain and servers etc which I would rather not post to the list. > > After that, could you try to do step 3 of > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password to > check if the automatic password change which is done in > ipa-replica-prepare failed. And if it is therefore the root cause. > I'm not sure if I actually need to do the first step (ldappasswd), but I can confirm that the second step, the ldapsearch, works if I use the new Directory Manager password. Is that enough to know, otherwise I can do the ldappasswd tomorrow (just don't want to mess with more than necessary now!). Thanks. Roderick From th at casalogic.dk Thu Jul 7 17:44:52 2016 From: th at casalogic.dk (Troels Hansen) Date: Thu, 7 Jul 2016 19:44:52 +0200 (CEST) Subject: [Freeipa-users] Periodic unable to authenticate Message-ID: <1600877751.427383.1467913492369.JavaMail.zimbra@casalogic.dk> Hi, we have 2 IPA servers setup in replication. All works fine, except sometimes I see unable to authenticate. It goes on for like 2-5 minutes, and then everything works again. When looking at the logs I see nothing, except err?53 which means incorrect password, but its NOT! [07/Jul/2016:19:38:19 +0200] conn=370373 TLS1.2 128-bit AES-GCM [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 BIND dn="uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan" method=128 version=3 [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 RESULT err=53 tag=97 nentries=0 etime=0 [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 UNBIND [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1 Anyone having any clues about where to look? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 7 19:28:09 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 7 Jul 2016 15:28:09 -0400 Subject: [Freeipa-users] Periodic unable to authenticate In-Reply-To: <1600877751.427383.1467913492369.JavaMail.zimbra@casalogic.dk> References: <1600877751.427383.1467913492369.JavaMail.zimbra@casalogic.dk> Message-ID: <577EAD49.8010300@redhat.com> Troels Hansen wrote: > Hi, we have 2 IPA servers setup in replication. > All works fine, except sometimes I see unable to authenticate. > It goes on for like 2-5 minutes, and then everything works again. When > looking at the logs I see nothing, except err?53 which means incorrect > password, but its NOT! > > [07/Jul/2016:19:38:19 +0200] conn=370373 TLS1.2 128-bit AES-GCM > [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 BIND > dn="uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan" method=128 version=3 > [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 RESULT err=53 tag=97 > nentries=0 etime=0 > [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 UNBIND > [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1 > > Anyone having any clues about where to look? 53 is not bad password, it is unwilling to perform. The error log might have additional details. rob From christophe.trefois at uni.lu Thu Jul 7 23:24:04 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 7 Jul 2016 23:24:04 +0000 Subject: [Freeipa-users] Problem with properly removing replica master from cluster In-Reply-To: References: <3185B8E3-7AFF-46E2-8A50-B77A554A2D7A@uni.lu> Message-ID: <2AA56A36-A603-441C-A2B2-2FE6B4AF5C15@uni.lu> Hi Petr, The cleaning task worked. No more errors. Thanks for that. Kind regards, ? Christophe Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- > On 07 Jul 2016, at 18:06, Petr Vobornik wrote: > > On 07/04/2016 05:54 PM, Christophe TREFOIS wrote: >> Dear all, >> >> First of all, thanks to mbasti for helping out so far. >> >> We have a 3-node master cluster (?setup-ca) on 4.1 and setup a 4th using 4.2.0 as we want to migrate there. >> >> First, we had some orphan entries in ipa-replica-manage list. We removed those by manually removing the LDAP node + children in cn=etc,cn=ipa,cn=masters. >> Then, we saw that there is still an orphan entry here: >> >> ldapsearch -xLLL -D "cn=directory manager" -W -b dc=uni,dc=lu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))? >> >> In particular, there is one ghost entry for nsDS5ReplicaBindDN >> >> This is the details of ldapsearch -x -D 'cn=directory manager' -W -b 'cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers,cn=config' >> >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat, csusers, config >> dn: cn=Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat,ou=csusers >> ,cn=config >> objectClass: top >> objectClass: person >> cn: Replication Manager masterAgreement1-lums3.uni.lu-pki-tomcat >> sn: manager >> userPassword:: **REMOVED** >> = >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> In addition, in slapd error log, i periodically (every 5 mins) see the following errors: >> >> [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. >> [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. >> [04/Jul/2016:15:47:08 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://server1.uni.lu:389/o%3Dipaca) failed. >> >> Could anybody help me to clean up the orphaned master replica (that is dead) and also tell if these attr_replace errors are related? > > Hello Christophe, > > this is result of not running `ipa-csreplica-manage del` prior running `ipa-replica-manage del` or `ipa-server-install --uninstall`. > > Solution is described at: https://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > >> >> Thank you for your help in this, >> >> Kind regards, >> >> ? >> Christophe >> >> > > > -- > Petr Vobornik From yamakasi.014 at gmail.com Fri Jul 8 01:49:16 2016 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 8 Jul 2016 03:49:16 +0200 Subject: [Freeipa-users] ipa-server-upgrade fails on PKI CentOS 7.2 Message-ID: Hi, I have some issue with the ipa-server-upgrade command where PKI fails. This seems to be a known issue but I'm unsure where to report it as it's fixed in FC https://bugzilla.redhat.com/show_bug.cgi?id=1328522 Does someone have a clue how to get around this ? Thanks! Matt From th at casalogic.dk Fri Jul 8 05:43:06 2016 From: th at casalogic.dk (Troels Hansen) Date: Fri, 8 Jul 2016 07:43:06 +0200 (CEST) Subject: [Freeipa-users] Periodic unable to authenticate In-Reply-To: <577EAD49.8010300@redhat.com> References: <1600877751.427383.1467913492369.JavaMail.zimbra@casalogic.dk> <577EAD49.8010300@redhat.com> Message-ID: <468110877.432629.1467956586934.JavaMail.zimbra@casalogic.dk> You mean the /var/log/dirsrv//error right? Clean except for when I do ipa backup, which actually doesn't look like tis errors, but more info.. However, sometimes, at 0:20 I have: [07/Jul/2016:00:15:41 +0200] NSMMReplicationPlugin - replication keep alive entry already exists [07/Jul/2016:00:24:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [07/Jul/2016:00:24:45 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [07/Jul/2016:00:24:45 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [07/Jul/2016:00:24:45 +0200] NSMMReplicationPlugin - agmt="cn=meTokoda.casalogic.lan" (koda:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) [07/Jul/2016:00:24:48 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [07/Jul/2016:00:24:48 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [07/Jul/2016:00:24:48 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [07/Jul/2016:00:24:54 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [07/Jul/2016:00:24:54 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)) errno 2 (No such file or directory) [07/Jul/2016:00:24:54 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [07/Jul/2016:00:25:06 +0200] NSMMReplicationPlugin - agmt="cn=meTokoda.casalogic.lan" (koda:389): Replication bind with GSSAPI auth resumed [07/Jul/2016:01:36:52 +0200] NSMMReplicationPlugin - replication keep alive entry already exists However, thats not when I have the auth problems. ----- On Jul 7, 2016, at 9:28 PM, Rob Crittenden rcritten at redhat.com wrote: > Troels Hansen wrote: >> Hi, we have 2 IPA servers setup in replication. >> All works fine, except sometimes I see unable to authenticate. >> It goes on for like 2-5 minutes, and then everything works again. When >> looking at the logs I see nothing, except err?53 which means incorrect >> password, but its NOT! >> >> [07/Jul/2016:19:38:19 +0200] conn=370373 TLS1.2 128-bit AES-GCM >> [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 BIND >> dn="uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan" method=128 version=3 >> [07/Jul/2016:19:38:19 +0200] conn=370373 op=0 RESULT err=53 tag=97 >> nentries=0 etime=0 >> [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 UNBIND >> [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1 >> >> Anyone having any clues about where to look? > > 53 is not bad password, it is unwilling to perform. The error log might > have additional details. > > rob -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. From mkosek at redhat.com Fri Jul 8 07:51:51 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Jul 2016 09:51:51 +0200 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: References: Message-ID: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> On 07/07/2016 05:19 PM, Prashant Bapat wrote: > Anyone ?! > > On 6 July 2016 at 22:36, Prashant Bapat > wrote: > > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have created a sysaccount which does the > lookup etc for a user and things are working as expected. I'm even able to > use OTP from the external app. > > One problem I'm struggling to fix is the expired passwords. Is there a way > to deny bind to LDAP only from this application? Obviously the user would > need to go to IPA's web UI and reset his password there. > > I came across this ticket https://fedorahosted.org/freeipa/ticket/1539 but > looks like this is an old one. > > Thanks. > --Prashant Hello Prashant, https://fedorahosted.org/freeipa/ticket/1539 seems to be the right ticket, if you want users with expired passwords to be denied, but it was not implemented yet. Help welcome! As a workaround, I assume you could simply leverage Kerberos for authentication - it does respect expired passwords. We have advise on how to integrate that to external web applications here: http://www.freeipa.org/page/Web_App_Authentication Martin From tba at statsbiblioteket.dk Fri Jul 8 08:50:08 2016 From: tba at statsbiblioteket.dk (Tony Brian Albers) Date: Fri, 8 Jul 2016 08:50:08 +0000 Subject: [Freeipa-users] copying through intermediate host. Message-ID: <1467967809.14755.8.camel@statsbiblioteket.dk> Hi Guys, I'm trying to copy relevant users and groups from one IPA server(server1) to another(server2). This is they can't talk to one another, they can't even establish connections to something outside their own networks. SSH into the servers from where I am(workstation1) works fine for both of them. Is there a way to use ipa migrate-ds and get it to dump to a file that I can import on server2? The network layout is like this server1----<>firewall2>>----server2 So, the firewalls allow connections from workstation1 to server 1 and server2, but not from server1 to server2 or from either server1 or server2 to workstation1. The easy solution would be dumping the necessary info from the IPA server to a file and then import it on the other server. Any suggestions? I've looked a bit at ssh port forwarding, but I can't really get an idea as how to relay the two connections to the servers to oneanother. Thanks, Tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 From tba at statsbiblioteket.dk Fri Jul 8 09:58:42 2016 From: tba at statsbiblioteket.dk (Tony Brian Albers) Date: Fri, 8 Jul 2016 09:58:42 +0000 Subject: [Freeipa-users] copying through intermediate host. In-Reply-To: <1467967809.14755.8.camel@statsbiblioteket.dk> References: <1467967809.14755.8.camel@statsbiblioteket.dk> Message-ID: <1467971922.14755.15.camel@statsbiblioteket.dk> Replying to myself here, I do that sometimes when I feel alone ;) I actually tried ssh port forwarding and relaying through workstation1, like so: ssh -L 9000:localhost:389 root at server2 (in one terminal) ssh -R 9100:localhost:9000 root at server1 (in another terminal) And then, on server1: echo password | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100 But I get: ipa: ERROR: Insufficient access: Invalid credentials Even though the password _is_ correct and port 9100 is connected to ipa on server2: [server1]# ldapsearch -x -h localhost:9100 -b dc=server2,dc=server2net uid=admin # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=admin # requesting: ALL # # admin, users, compat, server2.server2net dn: uid=admin,cn=users,cn=compat,dc=server2,dc=server2net cn: Administrator objectClass: posixAccount objectClass: ipaOverrideTarget ........ So, I can connect to server2 on server1's port 9100 but I can't get ipa migrate-ds to use it. And I did a kinit admin on server1 first ;) Any suggestione are appreciated. /tony On Fri, 2016-07-08 at 08:50 +0000, Tony Brian Albers wrote: > Hi Guys, > > I'm trying to copy relevant users and groups from one IPA > server(server1) to another(server2). This is they can't talk to one > another, they can't even establish connections to something outside > their own networks. SSH into the servers from where I am(workstation1) > works fine for both of them. > > Is there a way to use ipa migrate-ds and get it to dump to a file that I > can import on server2? > > The network layout is like this > server1----<>firewall2>>----server2 > > So, the firewalls allow connections from workstation1 to server 1 and > server2, but not from server1 to server2 or from either server1 or > server2 to workstation1. > > The easy solution would be dumping the necessary info from the IPA > server to a file and then import it on the other server. > > Any suggestions? I've looked a bit at ssh port forwarding, but I can't > really get an idea as how to relay the two connections to the servers to > oneanother. > > Thanks, > > Tony > > -- > Best regards, > > Tony Albers > Systems administrator, IT-development > State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 8946 2316 > > > > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 From jhrozek at redhat.com Fri Jul 8 11:40:55 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 8 Jul 2016 13:40:55 +0200 Subject: [Freeipa-users] Announce - SSSD 1.13 is the new LTM branch Message-ID: <20160708114055.GE3921@hendrix> Hi, the SSSD upstream supports some selected branches for a longer time, to make life easier for long-term supported distributions such as Red Hat Enterprise Linux, Ubuntu LTM or Suse Enterprise Linux. Since the sssd-1.13 branch is quite stable and already used in several long-term supported distributions, we decided to formally proclaim it as a LTM (Long-Term Maintenance) release. We will be backporting important fixes to the branch and release updates as appropriate. Packagers and maintainers of stable distributions are encouraged to use the sssd-1.13 releases. Please let us know (by filing a ticket or sending a mail to sssd-devel) if you need any fixes backported to the sssd-1-13 branch. I've updated the SSSD Trac front page: https://fedorahosted.org/sssd/wiki/WikiStart and the Releases page: https://fedorahosted.org/sssd/wiki/Releases to reflect that. From tba at statsbiblioteket.dk Fri Jul 8 11:56:37 2016 From: tba at statsbiblioteket.dk (Tony Brian Albers) Date: Fri, 8 Jul 2016 11:56:37 +0000 Subject: [Freeipa-users] copying through intermediate host. SOLVED In-Reply-To: <1467971922.14755.15.camel@statsbiblioteket.dk> References: <1467967809.14755.8.camel@statsbiblioteket.dk> <1467971922.14755.15.camel@statsbiblioteket.dk> Message-ID: <1467978997.14755.24.camel@statsbiblioteket.dk> Ok, so I managed to get this fixed, It turned out that I ssh port-forwarded in the wrong direction. So the solution is as follows: [workstation1]# ssh -L 9000:localhost:389 root at server1 [server1]# [workstation1]# ssh -R 9100:localhost:9000 root at server2 [server2]# echo password | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100 ----------- migrate-ds: ----------- Migrated: ............ ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. The main thing I missed was that I thought that the ldap:// URI in ipa migrate-ds should point to the receiving server, since the documentation explains that migrate-ds exports data. In reality, migrate-ds imports data from the mentioned ldap uri and into the locally running ipa server. So it should be run on the receiving host. /tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 From rmj at ast.cam.ac.uk Fri Jul 8 15:49:46 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Fri, 8 Jul 2016 16:49:46 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> <577E60E6.90901@redhat.com> <6ff02870-3319-7ebc-6d3c-4e857b22e457@ast.cam.ac.uk> Message-ID: <04fe73c6-11f4-df28-bb25-9c5c40b18390@ast.cam.ac.uk> On 07/07/16 18:06, Roderick Johnstone wrote: > On 07/07/16 16:30, Petr Vobornik wrote: >> On 07/07/2016 05:09 PM, Roderick Johnstone wrote: >>> On 07/07/16 15:02, Rob Crittenden wrote: >>>> Roderick Johnstone wrote: >>>>> On 05/07/16 11:52, Roderick Johnstone wrote: >>>>>> On 04/07/2016 15:12, Martin Babinsky wrote: >>>>>>> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>>>>>>> Hi >>>>>>>> >>>>>>>> I installed my first master ipa server (server1) many months ago >>>>>>>> (Redhat >>>>>>>> 7.1 IIRC) and made a replica server2 without problems. >>>>>>>> >>>>>>>> Now I'd like to bring online another replica (server3). >>>>>>>> >>>>>>>> All servers are now on Redhat 7.2 >>>>>>>> ipa-server-4.2.0-15.el7_2.17.x86_64, >>>>>>>> but I get the following error when I run this on server1: >>>>>>>> >>>>>>>> server1> ipa-replica-prepare server3.example.com >>>>>>>> >>>>>>>> Directory Manager (existing master) password: >>>>>>>> >>>>>>>> Preparing replica for server3.example.com from server1.example.com >>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>> Certificate issuance failed >>>>>>>> >>>>>>>> >>>>>>>> If I repeat this on server2, my fist replica, it succeeds. >>>>>>>> >>>>>>>> Running in debug mode on server1: >>>>>>>> server1> ipa-replica-prepare --debug server3.example.com >>>>>>>> gives a lot of output of which the following seems relevant (some >>>>>>>> info >>>>>>>> has been anonymised): >>>>>>>> >>>>>>>> Generating key. This may take a few moments... >>>>>>>> >>>>>>>> >>>>>>>> ipa: DEBUG: request POST >>>>>>>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>>>>>>> ipa: DEBUG: request body >>>>>>>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ipa: DEBUG: NSSConnection init server1.example.com >>>>>>>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>>>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>>>>>>> ipa: DEBUG: cert valid True for >>>>>>>> "CN=server1.example.com,O=EXAMPLE.COM" >>>>>>>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>>>>>>> ipa: DEBUG: Protocol: TLS1.2 >>>>>>>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>>>>> ipa: DEBUG: response status 200 >>>>>>>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 >>>>>>>> GMT', >>>>>>>> 'content-length': '161', 'content-type': 'application/xml', >>>>>>>> 'server': >>>>>>>> 'Apache-Coyote/1.1'} >>>>>>>> ipa: DEBUG: response body '>>>>>>> standalone="no"?>1Server >>>>>>>> Internal >>>>>>>> Error 3' >>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>>>>> 171, in >>>>>>>> execute >>>>>>>> return_value = self.run() >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> line 337, in run >>>>>>>> self.copy_ds_certificate() >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> line 382, in copy_ds_certificate >>>>>>>> self.export_certdb("dscert", passwd_fname) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> line 589, in export_certdb >>>>>>>> db.create_server_cert(nickname, hostname, ca_db) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>>> line 337, in create_server_cert >>>>>>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>>> line 418, in issue_server_cert >>>>>>>> raise RuntimeError("Certificate issuance failed") >>>>>>>> >>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>>>>> The >>>>>>>> ipa-replica-prepare command failed, exception: RuntimeError: >>>>>>>> Certificate >>>>>>>> issuance failed >>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>>>>>>> Certificate issuance failed >>>>>>>> >>>>>>>> If its of relevance I did change the directory manager password on >>>>>>>> both >>>>>>>> server1 and server2 a couple of weeks ago. >>>>>>>> >>>>>>>> I'd appreciate some pointers to resolving this. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Roderick Johnstone >>>>>>>> >>>>>>> Hi Roderick, >>>>>>> >>>>>>> try to look in the logs of the pki-ca subsystem. They should be >>>>>>> located >>>>>>> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" and >>>>>>> "debug" logs mainly. >>>>>>> >>>>>> >>>>>> Martin >>>>>> >>>>>> Thanks for the pointers. We had looked at a lot of log files, but not >>>>>> those ones! >>>>>> >>>>>> We were running the ipa-replica-prepare during the afternoon of 1 >>>>>> July. >>>>>> Here are the last few entries in the system log file. >>>>>> >>>>>> 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap >>>>>> (bound) connection pool to host server1.example.com port 636, Cannot >>>>>> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error >>>>>> creating JSS SSL Socket (-1) >>>>>> 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] >>>>>> CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the >>>>>> internaldb. Error LDAP operation failure - >>>>>> cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca >>>>>> netscape.ldap.LDAPException: error result (1) >>>>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could not >>>>>> store certificate serial number 0x1 >>>>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could not >>>>>> store certificate serial number 0x2 >>>>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could not >>>>>> store certificate serial number 0x3 >>>>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could not >>>>>> store certificate serial number 0x1 >>>>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could not >>>>>> store certificate serial number 0x2 >>>>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could not >>>>>> store certificate serial number 0x3 >>>>>> >>>>>> >>>>>> At corresponding times, in the debug logs there are entries like: >>>>>> >>>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation >>>>>> failure - >>>>>> cn=1,ou=certificateRepository, ou=ca, o=ipaca >>>>>> netscape.ldap.LDAPException: error result (68) >>>>>> >>>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: >>>>>> submit LDAP operation failure - cn=1,ou=certificateRepository, ou=ca, >>>>>> o=ipaca netscape.ldap.LDAPException: error result (68) >>>>>> >>>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: >>>>>> SignedAuditEventFactory: >>>>>> create() >>>>>> message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Internal Error] certificate request processed >>>>>> >>>>>> And then in the dirsrv error file there seems to be one of these for >>>>>> each of the attempts to run ipa-replica-prepare: >>>>>> [01/Jul/2016:16:04:57 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>>>> attribute "krbExtraData" not allowed >>>>>> [01/Jul/2016:16:07:16 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>>>> attribute "krbExtraData" not allowed >>>>>> [01/Jul/2016:16:13:36 +0100] - Entry "uid=admin,ou=people,o=ipaca" -- >>>>>> attribute "krbExtraData" not allowed >>>>>> >>>>>> Do you think this is looking like the root cause? Can you suggest >>>>>> how we >>>>>> fix that? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> Roderick >>>>>> >>>>> >>>>> Hi >>>>> >>>>> Did anyone have any ideas on fixing this please. I'm a bit stuck now. >>>> >>>> When you changed the DM passwords did you follow this, >>>> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >>>> >>>> rob >>> >>> Hi Rob >>> >>> Well, yes, but I did nothing because I read that page to say that >>> nothing needed doing becuase our server was on freeipa 4.2.0 (Redhat >>> 7.2) and the procedure is automated for that version freeipa 3.3.2. >>> >>> Did I misunderstand that? >>> >>> Roderick >>> >> > > Hi Petr > >> Roderick, could you attach also snipped of dirsrv access log around the >> time you see the "attribute "krbExtraData" not allowed" error? > > Would it be ok to send you this off-list? There is some stuff that > identifies our domain and servers etc which I would rather not post to > the list. > >> >> After that, could you try to do step 3 of >> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password to >> check if the automatic password change which is done in >> ipa-replica-prepare failed. And if it is therefore the root cause. >> > > I'm not sure if I actually need to do the first step (ldappasswd), but I > can confirm that the second step, the ldapsearch, works if I use the new > Directory Manager password. Is that enough to know, otherwise I can do > the ldappasswd tomorrow (just don't want to mess with more than > necessary now!). > > Thanks. > > Roderick > Hi The "krbExtraData not allowed" might be a red herring since its also present in the server2 logs where the ipa-replica-prepare worked ok. Back to the drawing board searching for a reason ipa-replica-prepare fails on server1. Roderick From Brad.Cesarone at raytheon.com Fri Jul 8 16:10:42 2016 From: Brad.Cesarone at raytheon.com (Brad Cesarone) Date: Fri, 8 Jul 2016 11:10:42 -0500 Subject: [Freeipa-users] Sync and BaseDN Message-ID: Hello I have a few questions 1) Is it possible to sync/replicate with another ldap server? i.e Oracle Identity Manager 2) If #1 is true, is it possible to sync with two different suffixs? 3) Is it possible to either install IPA with a custom ldap Suffix or change the suffix once it is created? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthonyclarka2 at gmail.com Fri Jul 8 17:13:33 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Fri, 8 Jul 2016 13:13:33 -0400 Subject: [Freeipa-users] steps to debug SOA serial being out of sync? Message-ID: Hello All, I have two FreeIPA servers set up as follows: ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir --setup-dns --ssh-trust-dns --forwarder=1.2.3.4 ns02: ipa-replica-install /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca --mkhomedir --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 Now, after being in use for a few months, my SOA serial numbers are different as reported by the two servers: ns01 reports 1467996578 ns02 reports 1467996455 [root at ns02 ~]# ipa dnszone-show dev.redacted.net ... SOA serial: 1467996455 ... Same result on ns01, 1467996455 ipa-replica-conncheck is fine. After an "ipactl restart" on ns02 (thinking that I needed to refresh the ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* that of ns01: ns01: 1467996578 ns02: 1467997519 Another "ipactl restart" on ns02 results in: ns01: 1467996578 ns02: 1467997595 running "ipactl restart" on ns01 results in: ns01: 1467997873 ns02: 1467997595 ns02 doesn't seem to be getting its serial number from ns01 at all. Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" on the replica? Does anyone have any suggestions on how to debug this further? Thanks, Anthony Clark -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 8 17:13:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 8 Jul 2016 13:13:57 -0400 Subject: [Freeipa-users] Sync and BaseDN In-Reply-To: References: Message-ID: <577FDF55.8010701@redhat.com> Brad Cesarone wrote: > Hello > > I have a few questions > 1) Is it possible to sync/replicate with another ldap server? i.e Oracle > Identity Manager > 2) If #1 is true, is it possible to sync with two different suffixs? > 3) Is it possible to either install IPA with a custom ldap Suffix or > change the suffix once it is created? > https://www.redhat.com/archives/freeipa-users/2016-July/msg00091.html From prashant at apigee.com Sat Jul 9 16:32:48 2016 From: prashant at apigee.com (Prashant Bapat) Date: Sat, 9 Jul 2016 22:02:48 +0530 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> References: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> Message-ID: I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 and compiled the ipa-pwd-extop slapi plugin. Now the user is denied bind. But unable to reset the password. On 8 July 2016 at 13:21, Martin Kosek wrote: > On 07/07/2016 05:19 PM, Prashant Bapat wrote: > > Anyone ?! > > > > On 6 July 2016 at 22:36, Prashant Bapat > > wrote: > > > > Hi, > > > > We are using FreeIPA's LDAP as the base for user authentication in a > > different application. So far I have created a sysaccount which does > the > > lookup etc for a user and things are working as expected. I'm even > able to > > use OTP from the external app. > > > > One problem I'm struggling to fix is the expired passwords. Is there > a way > > to deny bind to LDAP only from this application? Obviously the user > would > > need to go to IPA's web UI and reset his password there. > > > > I came across this ticket > https://fedorahosted.org/freeipa/ticket/1539 but > > looks like this is an old one. > > > > Thanks. > > --Prashant > > Hello Prashant, > > https://fedorahosted.org/freeipa/ticket/1539 seems to be the right > ticket, if > you want users with expired passwords to be denied, but it was not > implemented > yet. Help welcome! > > As a workaround, I assume you could simply leverage Kerberos for > authentication > - it does respect expired passwords. We have advise on how to integrate > that to > external web applications here: > > http://www.freeipa.org/page/Web_App_Authentication > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcnt at use.startmail.com Sun Jul 10 17:47:43 2016 From: jcnt at use.startmail.com (jcnt at use.startmail.com) Date: Sun, 10 Jul 2016 13:47:43 -0400 Subject: [Freeipa-users] updating certificates In-Reply-To: <57728EB8.2050805@redhat.com> References: <961a039c237577e3b3a460ab3a33e6d5.startmail@www.startmail.com> <57728EB8.2050805@redhat.com> Message-ID: On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden wrote: > jcnt at use.startmail.com wrote: >> Greetings, >> >> About a year ago I installed my freeipa server with certificates from >> startssl using command line options --dirsrv-cert-file --http-cert-file >> etc. >> The certificate is about to expire, what is the proper way to update it >> in all places? > > It depends on whether you kept the original CSR or not. If you kept the > original CSR and are just renewing the certificate(s) then when you get > the new one, use certutil to add the updated cert to the appropriate NSS > database like: > > # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i > /path/to/new.crt > Rob, Thank you, that worked just fine, except that I had to update an intermediate certificate as well. Two questions, please: 1. I noticed a strange discrepancy in behavior between /etc/httpd/alias and /etc/dirsrv/slapd-domain. In both places original intermediate certificate is listed with empty ",," trust attributes so I initially added new intermediate certificate with empty attributes as well. certutils -V showed valid certificate in /etc/httpd/alias and not trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate certificate with -t "C,," 2. Just out of curiosity I wanted to list private keys and is prompted for a password: # certutil -K -d /etc/httpd/alias/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": Which one of the many provided by a user passwords is used by ipa-server-install command during NSS database initialization? Josh. From pgb205 at yahoo.com Mon Jul 11 03:46:57 2016 From: pgb205 at yahoo.com (pgb205) Date: Mon, 11 Jul 2016 03:46:57 +0000 (UTC) Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> I have successfully established trust and am able to obtain ticket granting ticketkinit user at AD_DOMAIN.COMI can also do kinit admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails I have checked that there are no hbac rules other then the default allow_all rule in sssd_ssh.log see permission denied (6) error?in sssd_ipa.domain.log file I see pam_handler_callback 6 permission_denied in sssd_nss.log?Unable to get information from Data ProviderError: 3 Account info lookup failedWill try to return what we have in cache in /var/log/secure?received for user user at AD_DOMAIN.COM: 6 (Permission denied)? I can provided full logs if necessary to diagnose the above problem. ----------Additionally, I would like to be able to login as user not user at AD_DOMAIN.COM My understanding that only thing that I have to change to make this happen is /etc/krb5.conffor line? [libdefaults]?default_realm=AD_DOMAN.COM?and then restarting ipa services. However, when I do this I get failure to restart Samba service -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Mon Jul 11 06:19:52 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Mon, 11 Jul 2016 16:19:52 +1000 Subject: [Freeipa-users] HBAC and AD users Message-ID: Hola, Centos 7, up to date. [root at linuxidm ~]# ipa --version VERSION: 4.2.0, API_VERSION: 2.156 One way trust is successfully established, can login with ssh username at domain1.com@server1.domain2.com Am testing to get HBAC to work. I've noticed that with the Allow All rule in effect, the following set up is sufficient: add external group "ad_external" add internal group, "ad_internal", add ad_external as a group member of ad_internal AD users can now successfully login to any server. When I tried to set up an HBAC, I couldn't get that set up to work, I needed to complete the extra step of adding AD users explicitly to the "external member" group of the external group. I also note that this seems to be explicitly user based, not group based? IE, I can add lachlan at domain1.com to the external members of ad_external and that works, but adding the group server_admins at domain1.com (as seen in `id lachlan at domain1.com`) doesn't allow all members access. Does that sound correct? L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Mon Jul 11 06:30:38 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Mon, 11 Jul 2016 16:30:38 +1000 Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> Message-ID: Have you set up the external group and internal group as required in IPA? The server you are trying to log into - you have added this to the IPA server using ipa-client-install? When you are logged into the server that you want to login to as root (or local user), does `id user at ad_domain.com` give you the results you expected? (sorry to ask simple questions, but just in case....) cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11 July 2016 at 13:46, pgb205 wrote: > I have successfully established trust and am able to obtain ticket > granting ticket > kinit user at AD_DOMAIN.COM > I can also do kinit admin at IPA_DOMAIN.COM > ssh admin at IPA_DOMAIN.COM also works > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > I have checked that there are no hbac rules other then the default > allow_all rule > > in sssd_ssh.log see > permission denied (6) error > > in sssd_ipa.domain.log file I see > pam_handler_callback 6 permission_denied > > in sssd_nss.log > Unable to get information from Data Provider > Error: 3 Account info lookup failed > Will try to return what we have in cache > > in /var/log/secure > received for user user at AD_DOMAIN.COM: 6 (Permission denied) > > I can provided full logs if necessary to diagnose the above problem. > > ---------- > Additionally, I would like to be able to login as *user *not *user at AD_DOMAIN.COM > * > My understanding that only thing that I have to change to make this happen > is /etc/krb5.conf > for line > [libdefaults] > default_realm=AD_DOMAN.COM > and then restarting ipa services. > > However, when I do this I get failure to restart Samba service > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jul 11 06:44:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 11 Jul 2016 09:44:39 +0300 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: Message-ID: <20160711064439.d4hrvxvqmopm6nni@redhat.com> On Mon, 11 Jul 2016, Lachlan Musicman wrote: >Hola, > >Centos 7, up to date. > >[root at linuxidm ~]# ipa --version >VERSION: 4.2.0, API_VERSION: 2.156 > >One way trust is successfully established, can login with > >ssh username at domain1.com@server1.domain2.com > >Am testing to get HBAC to work. > >I've noticed that with the Allow All rule in effect, the following set up >is sufficient: > >add external group "ad_external" >add internal group, "ad_internal", add ad_external as a group member of >ad_internal > >AD users can now successfully login to any server. > >When I tried to set up an HBAC, I couldn't get that set up to work, I >needed to complete the extra step of adding AD users explicitly to the >"external member" group of the external group. > >I also note that this seems to be explicitly user based, not group based? >IE, I can add lachlan at domain1.com to the external members of ad_external >and that works, but adding the group server_admins at domain1.com (as seen in >`id lachlan at domain1.com`) doesn't allow all members access. > >Does that sound correct? No, it does not. HBAC evaluation and external group merging/resolution is done by SSSD. Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs that can help understanding what happens there. What SSSD version do you have on both IPA client and IPA server? -- / Alexander Bokovoy From datakid at gmail.com Mon Jul 11 06:55:37 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Mon, 11 Jul 2016 16:55:37 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160711064439.d4hrvxvqmopm6nni@redhat.com> References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> Message-ID: On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > >> Hola, >> >> Centos 7, up to date. >> >> [root at linuxidm ~]# ipa --version >> VERSION: 4.2.0, API_VERSION: 2.156 >> >> One way trust is successfully established, can login with >> >> ssh username at domain1.com@server1.domain2.com >> >> Am testing to get HBAC to work. >> >> I've noticed that with the Allow All rule in effect, the following set up >> is sufficient: >> >> add external group "ad_external" >> add internal group, "ad_internal", add ad_external as a group member of >> ad_internal >> >> AD users can now successfully login to any server. >> >> When I tried to set up an HBAC, I couldn't get that set up to work, I >> needed to complete the extra step of adding AD users explicitly to the >> "external member" group of the external group. >> >> I also note that this seems to be explicitly user based, not group based? >> IE, I can add lachlan at domain1.com to the external members of ad_external >> and that works, but adding the group server_admins at domain1.com (as seen >> in >> `id lachlan at domain1.com`) doesn't allow all members access. >> >> Does that sound correct? >> > No, it does not. > HBAC evaluation and external group merging/resolution is done by SSSD. > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs > that can help understanding what happens there. > > What SSSD version do you have on both IPA client and IPA server? 1.13.0 on both client and server. To be honest, we have ratcheted up the logs and it doesn't help that much. We just got lots of "unsupported PAM command [249]" Cheers L. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Jul 11 07:06:21 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 11 Jul 2016 09:06:21 +0200 Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > I have successfully established trust and am able to obtain ticket granting ticketkinit user at AD_DOMAIN.COMI can also do kinit admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > I have checked that there are no hbac rules other then the default allow_all rule > in sssd_ssh.log see > permission denied (6) error?in sssd_ipa.domain.log file I see > pam_handler_callback 6 permission_denied > in sssd_nss.log?Unable to get information from Data ProviderError: 3 Account info lookup failedWill try to return what we have in cache > in /var/log/secure?received for user user at AD_DOMAIN.COM: 6 (Permission denied)? > > I can provided full logs if necessary to diagnose the above problem. Yes, full SSSD logs with debug_level=10 would be best. > ----------Additionally, I would like to be able to login as user not user at AD_DOMAIN.COM > My understanding that only thing that I have to change to make this happen is /etc/krb5.conffor line? > [libdefaults]?default_realm=AD_DOMAN.COM?and then restarting ipa services. No, please do not change the default_realm. This is not related to the issues you are seeing. bye, Sumit > However, when I do this I get failure to restart Samba service > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From sbose at redhat.com Mon Jul 11 07:15:38 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 11 Jul 2016 09:15:38 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> Message-ID: <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > > > >> Hola, > >> > >> Centos 7, up to date. > >> > >> [root at linuxidm ~]# ipa --version > >> VERSION: 4.2.0, API_VERSION: 2.156 > >> > >> One way trust is successfully established, can login with > >> > >> ssh username at domain1.com@server1.domain2.com > >> > >> Am testing to get HBAC to work. > >> > >> I've noticed that with the Allow All rule in effect, the following set up > >> is sufficient: > >> > >> add external group "ad_external" > >> add internal group, "ad_internal", add ad_external as a group member of > >> ad_internal > >> > >> AD users can now successfully login to any server. > >> > >> When I tried to set up an HBAC, I couldn't get that set up to work, I > >> needed to complete the extra step of adding AD users explicitly to the > >> "external member" group of the external group. yes, this is expected you either have to add AD users or groups to the external groups. > >> > >> I also note that this seems to be explicitly user based, not group based? > >> IE, I can add lachlan at domain1.com to the external members of ad_external > >> and that works, but adding the group server_admins at domain1.com (as seen > >> in > >> `id lachlan at domain1.com`) doesn't allow all members access. Since it looks you are using FreeIPA 4.2 you might hit https://fedorahosted.org/freeipa/ticket/5573 . But SSSD logs, especially the part where the HBAC rules are evaluated would help to understand the issue better. > >> > >> Does that sound correct? > >> > > No, it does not. > > HBAC evaluation and external group merging/resolution is done by SSSD. > > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs > > that can help understanding what happens there. > > > > What SSSD version do you have on both IPA client and IPA server? > > > > 1.13.0 on both client and server. > > To be honest, we have ratcheted up the logs and it doesn't help that much. > We just got lots of "unsupported PAM command [249]" This is unrelated, I assume this happens when trying to store the hashed password to the cache. This message is remove in newer releases. bye, Sumit > > Cheers > L. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Mon Jul 11 07:33:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 11 Jul 2016 09:33:40 +0200 Subject: [Freeipa-users] steps to debug SOA serial being out of sync? In-Reply-To: References: Message-ID: On 8.7.2016 19:13, Anthony Clark wrote: > Hello All, > > I have two FreeIPA servers set up as follows: > > ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir --setup-dns > --ssh-trust-dns --forwarder=1.2.3.4 > > ns02: ipa-replica-install > /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca --mkhomedir > --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 > > > Now, after being in use for a few months, my SOA serial numbers are > different as reported by the two servers: > > ns01 reports 1467996578 > ns02 reports 1467996455 > > [root at ns02 ~]# ipa dnszone-show dev.redacted.net > ... > SOA serial: 1467996455 > ... > > Same result on ns01, 1467996455 > > ipa-replica-conncheck is fine. > > After an "ipactl restart" on ns02 (thinking that I needed to refresh the > ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* > that of ns01: > > ns01: 1467996578 > ns02: 1467997519 > > Another "ipactl restart" on ns02 results in: > > ns01: 1467996578 > ns02: 1467997595 > > running "ipactl restart" on ns01 results in: > > ns01: 1467997873 > ns02: 1467997595 > > ns02 doesn't seem to be getting its serial number from ns01 at all. > > Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" on > the replica? > > Does anyone have any suggestions on how to debug this further? Hello, this is in fact expected. IPA has multi-master DNS so serials are not synced. This is documented in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers I hope it helps. -- Petr^2 Spacek From simecek.tomas at gmail.com Mon Jul 11 07:04:06 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Mon, 11 Jul 2016 09:04:06 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: Hi all, thanks and sorry for my late answer again. I am new to mailing lists and I assumed noone is respnding when mails are not coming. I did not know I have to check on the website. I have enabled sssd_sudo log and here are outputs from sssd_sudo.log and sssd_linuxdomain.cz.log when trying sudo again: sssd_sudo.log: (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz )(sudoUser=%account at sd-stc.cz)(sudoUser=+*)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit Looking at it with my untrained eye gives no clue what could be wrong. Here is sssd_linuxdomain.cz.log from the same moment: (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=grpunixadmins] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 32 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 32 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be processed individually (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 33 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 33 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is a posix group (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [grpunixadmins]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [grpunixadmins]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is not a posix group (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [ad_admins_external]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [ad_admins_external]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Adding member users to group [grpunixadmins] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_fill_memberships] (0x1000): member #0 (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): No members for group [ad_admins_external] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] (0x2000): No external members, done(Mon Jul 11 08:55:14 2016) [sssd[be[ linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 34 timeout 60 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 34 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 35 timeout 60 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cece0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 35 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 36 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 36 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 36 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 37 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 37 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 37 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] immediately. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30820] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30820] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] done. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [30820]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [30820] finished successfully. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f841541e810] immediately. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30821] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30821] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getDomains on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] (0x0400): Got get subdomains [SD-STC] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 38 timeout 6 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 38 finished (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustDirection] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 39 timeout 6 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustDirection] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 39 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a member domain (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] (0x0200): Trust direction of sd-stc.cz is trust direction not set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 40 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 40 timeout 6 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 40 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_view_name_done] (0x0400): No view found, using default. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_view_name_done] (0x0400): Found view name [default]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][3][40]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): TGT times are [1468220118][1468220118][1468256118][1468306518]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f841541e810] done. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [30821]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [30821] finished successfully. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 41 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 41 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542ea90], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 41 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 42 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 42 timeout 6 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 42 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 43 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 43 timeout 6 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 43 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD access control (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 44 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 44 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 45 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 45 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 45 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 46 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 46 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 46 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 47 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 47 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 47 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 48 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 48 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 48 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [7] groups for [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) [Success (Permission denied)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] immediately. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30822] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30822] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [30822]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [30822] finished successfully. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] done. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] Any idea what to check next? Thanks a lot. Tomas 2016-07-04 9:50 GMT+02:00 Tomas Simecek : > Dear freeipa users/admins, > I'm trying to implement freeipa in our company, so that our Unix admins > can authenticate on Linux servers using their Windows AD account. > Following this guide > https://www.freeipa.org/page/Active_Directory_trust_setup it seems to > work well, they can login without problems. > What I cannot make working is sudo from their AD accounts on Linux. > > No matter what I try, it is still: > > sudo systemctl restart httpd > [sudo] password for simecek.tomas at sd-stc.cz: > Sorry, try again. > > Here's our setup: > Freeipa server: CentOS Linux release 7.2.1511 (Core), > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > Freeipa client: the same > > AD domain name: sd-stc.cz > IPA domain: linuxdomain.cz > > When digging in logs and googling, I realized that the problem on client > side could be: > > [root at spcss-2t-www ~]# kinit -k > kinit: Cannot determine realm for host (principal host/spcss-2t-www@) > > But this seems to work: > [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ > Password for simecek.tomas at SD-STC.CZ: > [root at spcss-2t-www ~]# klist > Default principal: simecek.tomas at SD-STC.CZ > > Valid starting Expires Service principal > 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ > renew until 07/05/2016 09:36:23 > > My /etc/sssd/sssd.conf: > [domain/linuxdomain.cz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linuxdomain.cz > krb5_realm = LINUXDOMAIN.CZ > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = spcss-2t-www.linuxdomain.cz > chpass_provider = ipa > ipa_server = svlxxipap.linuxdomain.cz > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://svlxxipap.linuxdomain.cz > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ > ldap_sasl_realm = LINUXDOMAIN.CZ > krb5_server = svlxxipap.linuxdomain.cz > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = linuxdomain.cz > [nss] > homedir_substring = /home > .... > > My /etc/krb5.conf: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = LINUXDOMAIN.CZ > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > > [realms] > LINUXDOMAIN.CZ = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > > [domain_realm] > .linuxdomain.cz = LINUXDOMAIN.CZ > linuxdomain.cz = LINUXDOMAIN.CZ > > Would you please suggest which way to investigate? > > Thanks > > Tomas Simecek > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Mon Jul 11 08:07:45 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Mon, 11 Jul 2016 10:07:45 +0200 Subject: [Freeipa-users] Sudo not working for AD users Message-ID: Dear freeipa admins, let me repost my older question. I have originally asked last week but communication was problematic because I was external users. Now I have subscribed. My problem: I'm trying to implement freeipa in our company, so that our Unix admins can authenticate on Linux servers using their Windows AD account. Following this guide https://www.freeipa.org/page/Active_Directory_trust_setup it seems to work well, they can login without problems. What I cannot make working is sudo from their AD accounts on Linux. No matter what I try, it is still: sudo systemctl restart httpd [sudo] password for simecek.tomas at sd-stc.cz: Sorry, try again. Here's our setup: Freeipa server: CentOS Linux release 7.2.1511 (Core), ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 Freeipa client: the same AD domain name: sd-stc.cz IPA domain: linuxdomain.cz freeipa server: svlxxipap.linuxdomain.cz sssd.conf: [domain/linuxdomain.cz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linuxdomain.cz krb5_realm = LINUXDOMAIN.CZ id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spcss-2t-www.linuxdomain.cz chpass_provider = ipa ipa_server = svlxxipap.linuxdomain.cz ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ldap ldap_uri = ldap://svlxxipap.linuxdomain.cz ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ ldap_sasl_realm = LINUXDOMAIN.CZ krb5_server = svlxxipap.linuxdomain.cz debug_level = 0x3ff0 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linuxdomain.cz [nss] homedir_substring = /home [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] [ifp] nsswitch conf: ... sudoers: files sss Logs are below. What surprises me is that sudo logs says: (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [simecek.tomas at sd-stc.cz] while sssd log says: (Mon Jul 11 09:53:17 2016) [sssd[be[linuxdomain.cz]]] [sdap_sudo_refresh_load_done] (0x0400): Received 0 rules My rule: [root at svlxxipap ~]# ipa sudorule-show Rule name: Pokusne Rule name: Pokusne Enabled: TRUE Command category: all User Groups: grpunixadmins Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz sssd_sudo.log: (Mon Jul 11 08:55:11 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Jul 11 08:55:11 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz )(sudoUser=%account at sd-stc.cz)(sudoUser=+*)))] (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit My sssd_linuxdomain.cz.log: (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=grpunixadmins] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 32 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 32 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be processed individually (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 33 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 33 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is a posix group (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [grpunixadmins]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [grpunixadmins]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Processing group ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x2000): This is not a posix group (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes of [ad_admins_external]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160629090835Z] to attributes of [ad_admins_external]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] (0x0400): Storing info for group ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group grpunixadmins (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Adding member users to group [grpunixadmins] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_fill_memberships] (0x1000): member #0 (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_primary_name] (0x0400): Processing object ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Processing group ad_admins_external (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] (0x0400): No members for group [ad_admins_external] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] (0x2000): No external members, done(Mon Jul 11 08:55:14 2016) [sssd[be[ linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 34 timeout 60 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 34 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 35 timeout 60 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cece0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 35 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 36 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 36 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 36 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 37 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 37 timeout 6 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 37 finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] immediately. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30820] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30820] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] done. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [30820]. (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [30820] finished successfully. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f841541e810] immediately. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30821] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30821] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getDomains on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] (0x0400): Got get subdomains [SD-STC] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 38 timeout 6 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 38 finished (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustDirection] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 39 timeout 6 (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustDirection] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 39 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a member domain (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] (0x0200): Trust direction of sd-stc.cz is trust direction not set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 40 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 40 timeout 6 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 40 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_view_name_done] (0x0400): No view found, using default. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_view_name_done] (0x0400): Found view name [default]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][3][40]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): TGT times are [1468220118][1468220118][1468256118][1468306518]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f841541e810] done. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [30821]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [30821] finished successfully. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 41 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 41 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841542ea90], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 41 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 42 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 42 timeout 6 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 42 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 43 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 43 timeout 6 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 43 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD access control (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 44 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 44 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 45 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 45 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 45 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 46 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 46 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 46 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 47 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 47 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 47 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= spcss-2t-www.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 48 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 48 timeout 60 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 48 finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [7] groups for [simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.tomas at sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) [Success (Permission denied)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 30819 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] immediately. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30822] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30822] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [30822]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [30822] finished successfully. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] done. (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] Any idea where to look next? Thanks in advance Tomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brad.Cesarone at raytheon.com Mon Jul 11 12:54:36 2016 From: Brad.Cesarone at raytheon.com (Brad Cesarone) Date: Mon, 11 Jul 2016 07:54:36 -0500 Subject: [Freeipa-users] Sync and BaseDN In-Reply-To: <577FDF55.8010701@redhat.com> References: <577FDF55.8010701@redhat.com>, Message-ID: Whoops sorry about that. I didn't know my original question posted. The reply went to the mailing list only and not my other email. I'll keep the original going in the original thread as much as possible. Thanks! -----Rob Crittenden wrote: ----- To: Brad Cesarone , freeipa-users at redhat.com From: Rob Crittenden Date: 07/08/2016 12:14PM Subject: Re: [Freeipa-users] Sync and BaseDN Brad Cesarone wrote: > Hello > > I have a few questions > 1) Is it possible to sync/replicate with another ldap server? i.e Oracle > Identity Manager > 2) If #1 is true, is it possible to sync with two different suffixs? > 3) Is it possible to either install IPA with a custom ldap Suffix or > change the suffix once it is created? > https://www.redhat.com/archives/freeipa-users/2016-July/msg00091.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From ladner.danila at gmail.com Mon Jul 11 12:57:46 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Mon, 11 Jul 2016 08:57:46 -0400 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: What version of sssd are you running? On Mon, Jul 11, 2016 at 3:04 AM, Tomas Simecek wrote: > Hi all, > thanks and sorry for my late answer again. I am new to mailing lists and > I assumed noone is respnding when mails are not coming. > I did not know I have to check on the website. > > I have enabled sssd_sudo log and here are outputs from sssd_sudo.log and > sssd_linuxdomain.cz.log when trying sudo again: > sssd_sudo.log: > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% > account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [@sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% > account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% > unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=+*)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): > Sorting rules with higher-wins logic > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > Received SBUS method org.freedesktop.sssd.service.ping on path > /org/freedesktop/sssd/service > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > > Looking at it with my untrained eye gives no clue what could be wrong. > > Here is sssd_linuxdomain.cz.log from the same moment: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for > [0x1002][1][name=grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 32 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 32 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): Members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be > processed individually > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 33 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 33 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and > setting GID=0! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Processing group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x2000): This is a posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes > of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20160629090835Z] to attributes of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): The group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): Group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Storing info for group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. > [0][Success] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Processing group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x2000): This is not a posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to > attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20160629090835Z] to attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Storing info for group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Processing group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Adding member users to group [grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_fill_memberships] (0x1000): member #0 > (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): > [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Processing group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): No members for group [ad_admins_external] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] > (0x2000): No external members, done(Mon Jul 11 08:55:14 2016) [sssd[be[ > linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default > Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 34 timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543e380], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543e380], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 34 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 35 timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cece0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 35 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 36 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 36 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841540fe90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841540fe90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 36 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 37 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 37 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84154511d0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84154511d0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 37 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: SSS_PAM_PREAUTH > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] > immediately. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] > done. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30820]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30820] finished successfully. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: PAM_AUTHENTICATE > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 1 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running request [0x7f841541e810] > immediately. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getDomains on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] > (0x0400): Got get subdomains [SD-STC] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 38 timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 38 finished > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustDirection] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 39 timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTFlatName] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustDirection] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 39 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a > member domain > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] > (0x0200): Trust direction of sd-stc.cz is trust direction not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP > deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 40 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 40 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 40 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_get_view_name_done] (0x0400): No view found, using default. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_get_view_name_done] (0x0400): Found view name [default]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][3][40]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): TGT times are > [1468220118][1468220118][1468256118][1468306518]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][6][8]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f841541e810] > done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30821]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30821] finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 41 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 41 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542ea90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 41 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 42 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 42 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415458f80], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415458f80], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 42 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 43 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 43 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841544d770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841544d770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 43 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] > (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD > access control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 44 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543ecb0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543ecb0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 44 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= > spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 45 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 45 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 45 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 46 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 46 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 46 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 47 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 47 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 47 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= > spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= > spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 48 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 48 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 48 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na > test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to > rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_host_attrs_to_rule] (0x2000): Added host [ > spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x1000): [7] groups for [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) > [Success (Permission denied)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: SSS_PAM_PREAUTH > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] > immediately. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30822]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30822] finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] > done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > > Any idea what to check next? > > Thanks a lot. > > Tomas > > > 2016-07-04 9:50 GMT+02:00 Tomas Simecek : > >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our Unix admins >> can authenticate on Linux servers using their Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >> work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for simecek.tomas at sd-stc.cz: >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the problem on client >> side could be: >> >> [root at spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >> >> But this seems to work: >> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ >> Password for simecek.tomas at SD-STC.CZ: >> [root at spcss-2t-www ~]# klist >> Default principal: simecek.tomas at SD-STC.CZ >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> .... >> >> My /etc/krb5.conf: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = LINUXDOMAIN.CZ >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> [realms] >> LINUXDOMAIN.CZ = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> >> [domain_realm] >> .linuxdomain.cz = LINUXDOMAIN.CZ >> linuxdomain.cz = LINUXDOMAIN.CZ >> >> Would you please suggest which way to investigate? >> >> Thanks >> >> Tomas Simecek >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthonyclarka2 at gmail.com Mon Jul 11 13:40:50 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Mon, 11 Jul 2016 09:40:50 -0400 Subject: [Freeipa-users] steps to debug SOA serial being out of sync? In-Reply-To: References: Message-ID: Thanks for the answer, I just wanted to confirm: Various "DNS health checks" complain about SOA serials not being the same. Are those safe to ignore? I have 2 FreeIPA servers for basic redundancy. Should I not be pointing my hosts at both FreeIPA hosts for DNS? Thanks, Anthony On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek wrote: > On 8.7.2016 19:13, Anthony Clark wrote: > > Hello All, > > > > I have two FreeIPA servers set up as follows: > > > > ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir > --setup-dns > > --ssh-trust-dns --forwarder=1.2.3.4 > > > > ns02: ipa-replica-install > > /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca > --mkhomedir > > --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 > > > > > > Now, after being in use for a few months, my SOA serial numbers are > > different as reported by the two servers: > > > > ns01 reports 1467996578 > > ns02 reports 1467996455 > > > > [root at ns02 ~]# ipa dnszone-show dev.redacted.net > > ... > > SOA serial: 1467996455 > > ... > > > > Same result on ns01, 1467996455 > > > > ipa-replica-conncheck is fine. > > > > After an "ipactl restart" on ns02 (thinking that I needed to refresh the > > ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* > > that of ns01: > > > > ns01: 1467996578 > > ns02: 1467997519 > > > > Another "ipactl restart" on ns02 results in: > > > > ns01: 1467996578 > > ns02: 1467997595 > > > > running "ipactl restart" on ns01 results in: > > > > ns01: 1467997873 > > ns02: 1467997595 > > > > ns02 doesn't seem to be getting its serial number from ns01 at all. > > > > Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" > on > > the replica? > > > > Does anyone have any suggestions on how to debug this further? > > Hello, > > this is in fact expected. IPA has multi-master DNS so serials are not > synced. > > This is documented in > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers > > I hope it helps. > > -- > Petr^2 Spacek > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jul 11 13:46:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 11 Jul 2016 15:46:03 +0200 Subject: [Freeipa-users] steps to debug SOA serial being out of sync? In-Reply-To: References: Message-ID: <1e27ec35-1c3e-73fe-7a2b-f044a8c61b89@redhat.com> On 11.7.2016 15:40, Anthony Clark wrote: > Thanks for the answer, > > I just wanted to confirm: Various "DNS health checks" complain about SOA > serials not being the same. Are those safe to ignore? Yes, unless you are doing incremental zone transfers. > I have 2 FreeIPA servers for basic redundancy. Should I not be pointing my > hosts at both FreeIPA hosts for DNS? It is okay to point clients to both servers as long as the clients are not doing incremental zone transfers. If you plan to do incremental zone transfers, point client to single IPA servers. That is it. Petr^2 Spacek > Anthony > > On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek wrote: > >> On 8.7.2016 19:13, Anthony Clark wrote: >>> Hello All, >>> >>> I have two FreeIPA servers set up as follows: >>> >>> ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir >> --setup-dns >>> --ssh-trust-dns --forwarder=1.2.3.4 >>> >>> ns02: ipa-replica-install >>> /var/lib/ipa/replica-info-ns02.dev.redacted.net.gpg --setup-ca >> --mkhomedir >>> --ssh-trust-dns --setup-dns --forwarder=1.2.3.4 >>> >>> >>> Now, after being in use for a few months, my SOA serial numbers are >>> different as reported by the two servers: >>> >>> ns01 reports 1467996578 >>> ns02 reports 1467996455 >>> >>> [root at ns02 ~]# ipa dnszone-show dev.redacted.net >>> ... >>> SOA serial: 1467996455 >>> ... >>> >>> Same result on ns01, 1467996455 >>> >>> ipa-replica-conncheck is fine. >>> >>> After an "ipactl restart" on ns02 (thinking that I needed to refresh the >>> ns02 FreeIPA instance somehow) the SOA serial on ns02 increments *beyond* >>> that of ns01: >>> >>> ns01: 1467996578 >>> ns02: 1467997519 >>> >>> Another "ipactl restart" on ns02 results in: >>> >>> ns01: 1467996578 >>> ns02: 1467997595 >>> >>> running "ipactl restart" on ns01 results in: >>> >>> ns01: 1467997873 >>> ns02: 1467997595 >>> >>> ns02 doesn't seem to be getting its serial number from ns01 at all. >>> >>> Did I set up ns02 incorrectly? Should I have skipped the "--setup-dns" >> on >>> the replica? >>> >>> Does anyone have any suggestions on how to debug this further? >> >> Hello, >> >> this is in fact expected. IPA has multi-master DNS so serials are not >> synced. >> >> This is documented in >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#zone-transfers >> >> I hope it helps. >> >> -- >> Petr^2 Spacek >> > -- Petr Spacek @ Red Hat From rcritten at redhat.com Mon Jul 11 14:10:46 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jul 2016 10:10:46 -0400 Subject: [Freeipa-users] updating certificates In-Reply-To: References: <961a039c237577e3b3a460ab3a33e6d5.startmail@www.startmail.com> <57728EB8.2050805@redhat.com> Message-ID: <5783A8E6.4010407@redhat.com> jcnt at use.startmail.com wrote: > On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden wrote: >> jcnt at use.startmail.com wrote: >>> Greetings, >>> >>> About a year ago I installed my freeipa server with certificates from >>> startssl using command line options --dirsrv-cert-file --http-cert-file >>> etc. >>> The certificate is about to expire, what is the proper way to update it >>> in all places? >> >> It depends on whether you kept the original CSR or not. If you kept the >> original CSR and are just renewing the certificate(s) then when you get >> the new one, use certutil to add the updated cert to the appropriate NSS >> database like: >> >> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i >> /path/to/new.crt >> > > Rob, > > Thank you, that worked just fine, except that I had to update an intermediate certificate as well. > > Two questions, please: > > 1. I noticed a strange discrepancy in behavior between /etc/httpd/alias and /etc/dirsrv/slapd-domain. > In both places original intermediate certificate is listed with empty ",," trust attributes so I initially added new intermediate certificate with empty attributes as well. > certutils -V showed valid certificate in /etc/httpd/alias and not trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate certificate with -t "C,," Hmm, not sure. Did the CA chain change in between the issuance of the two certs? Adding a new certificate shouldn't affect the trust of any other certs so I'm not sure what happened. It could be that those subordinate CAs were loaded the first time incorrectly but weren't used so it wasn't noticed, I'm not really sure. > 2. Just out of curiosity I wanted to list private keys and is prompted for a password: > # certutil -K -d /etc/httpd/alias/ > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" > Enter Password or Pin for "NSS Certificate DB": > > Which one of the many provided by a user passwords is used by ipa-server-install command during NSS database initialization? In each NSS directory there is a pwdfile.txt which contains the PIN for the internal token. You can add -f /etc/httpd/alias/pwdfile.txt to your command to list the private keys. rob From rcritten at redhat.com Mon Jul 11 14:13:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jul 2016 10:13:19 -0400 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: References: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> Message-ID: <5783A97F.5040406@redhat.com> Prashant Bapat wrote: > I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 > and compiled the ipa-pwd-extop slapi plugin. > > Now the user is denied bind. But unable to reset the password. Right, it's a tricky problem which is why it hasn't been resolved yet. You have come full circle through the same steps we went through. rob > > > On 8 July 2016 at 13:21, Martin Kosek > wrote: > > On 07/07/2016 05:19 PM, Prashant Bapat wrote: > > Anyone ?! > > > > On 6 July 2016 at 22:36, Prashant Bapat > > >> wrote: > > > > Hi, > > > > We are using FreeIPA's LDAP as the base for user authentication in a > > different application. So far I have created a sysaccount which does the > > lookup etc for a user and things are working as expected. I'm even able to > > use OTP from the external app. > > > > One problem I'm struggling to fix is the expired passwords. Is there a way > > to deny bind to LDAP only from this application? Obviously the user would > > need to go to IPA's web UI and reset his password there. > > > > I came across this tickethttps://fedorahosted.org/freeipa/ticket/1539 but > > looks like this is an old one. > > > > Thanks. > > --Prashant > > Hello Prashant, > > https://fedorahosted.org/freeipa/ticket/1539 seems to be the right > ticket, if > you want users with expired passwords to be denied, but it was not > implemented > yet. Help welcome! > > As a workaround, I assume you could simply leverage Kerberos for > authentication > - it does respect expired passwords. We have advise on how to > integrate that to > external web applications here: > > http://www.freeipa.org/page/Web_App_Authentication > > Martin > > > > From jstephen at redhat.com Mon Jul 11 14:44:16 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Mon, 11 Jul 2016 10:44:16 -0400 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: <382c8fa4-6ee7-ed81-0cbf-603b5c77c7bd@redhat.com> Hello, From the logs below, it appears the failure occurs when a HBAC evaluation is done. Can you double-check the HBAC rule 'Unixari na test servery' ? Also, you can run the below command for testing the expected HBAC rules are allowing/denying access # ipa hbactest --user 'simecek.tomas at sd-stc.cz ' --host 'hostname' --service=sudo ---------------------------------------------------- /(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [7] groups for [simecek.tomas at sd-stc.cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [simecek.tomas at sd-stc.cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) [Success (Permission denied)]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz]// //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz]/ Kind regards, Justin Stephenson On 07/11/2016 03:04 AM, Tomas Simecek wrote: > Hi all, > thanks and sorry for my late answer again. I am new to mailing lists > and I assumed noone is respnding when mails are not coming. > I did not know I have to check on the website. > > I have enabled sssd_sudo log and here are outputs from sssd_sudo.log > and sssd_linuxdomain.cz.log when trying sudo again: > sssd_sudo.log: > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] > (0x0200): Received client version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] > (0x0200): Offered version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain > 'sd-stc.cz ', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain > 'sd-stc.cz ', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [simecek.tomas] from > [sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] > (0x2000): Checking negative cache for > [NCE/USER/sd-stc.cz/simecek.tomas ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [simecek.tomas at sd-stc.cz > ] from [sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz > )(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz > )(sudoUser=%account at sd-stc.cz > )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > [@sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain > 'sd-stc.cz ', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain > 'sd-stc.cz ', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] > (0x2000): Checking negative cache for > [NCE/USER/sd-stc.cz/simecek.tomas ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [simecek.tomas at sd-stc.cz > ] from [sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz > )(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz > )(sudoUser=%account at sd-stc.cz > )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz > )(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz > )(sudoUser=%account at sd-stc.cz > )(sudoUser=+*)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): > Sorting rules with higher-wins logic > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for > [simecek.tomas at sd-stc.cz ] > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on > path /org/freedesktop/sssd/service > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > > Looking at it with my untrained eye gives no clue what could be wrong. > > Here is sssd_linuxdomain.cz.log from the same moment: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_account_info] (0x0200): Got request > for [0x1002][1][name=grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [linuxdomain.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_groups_next_base] (0x0400): > Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 32 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 32 > timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 32 > finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_groups_process] (0x0400): Search > for groups, returned 1 results. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_has_deref_support] (0x0400): The > server supports deref method OpenLDAP > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_process_send] (0x2000): > About to process group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): Search users > with filter: > (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_groups] (0x2000): Search > groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_process_send] (0x2000): > Looking up 1/1 members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_process_send] (0x2000): > Members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be > processed individually > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 33 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 33 > timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 33 > finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_hash_group] (0x2000): > Marking group as non-posix and setting GID=0! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_process_send] (0x2000): > About to process group > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_recv] (0x0400): 0 users > found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_group_recv] (0x0400): 2 groups > found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_primary_name] (0x0400): > Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_group] (0x0400): Processing > group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_group] (0x2000): This is a posix > group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding > original DN > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to > attributes of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding > original mod-Timestamp [20160629090835Z] to attributes of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_ghost_members] (0x0400): The > group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_ghost_members] (0x0400): > Group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_group] (0x0400): Storing info > for group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_attrs_get_sid_str] (0x1000): No > [objectSIDString] attribute. [0][Success] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_primary_name] (0x0400): > Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_group] (0x0400): Processing > group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_group] (0x2000): This is not a > posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding > original DN > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to > attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding > original mod-Timestamp [20160629090835Z] to attributes of > [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_ghost_members] (0x0400): The > group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_ghost_members] (0x0400): > Group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_group] (0x0400): Storing info > for group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_primary_name] (0x0400): > Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_grpmem] (0x0400): Processing > group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_grpmem] (0x0400): Adding member > users to group [grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_fill_memberships] (0x1000): > member #0 > (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): > [name=ad_admins_external,cn=groups,cn=linuxdomain.cz > ,cn=sysdb] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_primary_name] (0x0400): > Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_grpmem] (0x0400): Processing > group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_grpmem] (0x0400): Failed to get > group sid > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_save_grpmem] (0x0400): No members for > group [ad_admins_external] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_nested_done] (0x2000): No external > members, done(Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default > Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 34 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 34 > timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 34 > finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [acctinfo_callback] (0x0100): Request > processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_account_info] (0x0200): Got request > for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 35 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 35 > timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cece0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 35 > finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x0400): Executing > extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x2000): > ldap_extended_operation sent, msgid = 36 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 36 > timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_done] (0x0400): > ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 36 > finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x0400): Executing > extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x2000): > ldap_extended_operation sent, msgid = 37 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 37 > timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_done] (0x0400): > ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 37 > finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_save_objects] (0x2000): Updating > memberships for simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0080): > ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0400): Error: 2 > (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_update_members_ex] (0x0020): Could > not add member [simecek.tomas at sd-stc.cz > ] to group > [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz > ,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_save_objects] (0x2000): Updating > memberships for simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0080): > ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0400): Error: 2 > (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_update_members_ex] (0x0020): Could > not add member [simecek.tomas at sd-stc.cz > ] to group > [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz > ,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [acctinfo_callback] (0x0100): Request > processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler] (0x0100): Got request with > the following data > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): command: > SSS_PAM_PREAUTH > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): domain: > sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): user: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): service: sudo > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): ruser: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): rhost: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): authtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): priv: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): logon name: not set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_queue_send] (0x1000): Wait queue > of user [simecek.tomas at sd-stc.cz ] is > empty, running request [0x7f8415414ac0] immediately. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_send] (0x0100): Trying > to resolve service 'IPA' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [get_port_status] (0x1000): Port status of > port 0 for server 'svlxxipap.linuxdomain.cz > ' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_activate_timeout] > (0x2000): Resolve timeout set to 6 seconds > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x1000): > Saving the first resolved server > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x0200): Found > address for server svlxxipap.linuxdomain.cz > : [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_resolve_callback] (0x0400): > Constructed uri 'ldap://svlxxipap.linuxdomain.cz > ' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [sss_krb5_realm_has_proxy] (0x0040): > profile_get_values failed. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Setting up > signal handler up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Signal > handler set up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [write_pipe_handler] (0x0400): All data has > been sent! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [read_pipe_handler] (0x0400): EOF received, > client finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0100): Marking port > 0 of server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [set_server_common_status] (0x0100): > Marking server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0400): Marking port > 0 of duplicate server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_store_creds] (0x0010): > unsupported PAM command [249]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_store_creds] (0x0010): password > not available, offline auth may not work. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [check_wait_queue] (0x1000): Wait queue for > user [simecek.tomas at sd-stc.cz ] is empty. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_queue_done] (0x1000): > krb5_auth_queue request [0x7f8415414ac0] done. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 0, ) [Success (Success)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [0][sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent > result [0][sd-stc.cz ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x1000): Waiting for > child [30820]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x0100): child [30820] > finished successfully. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler] (0x0100): Got request with > the following data > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): command: > PAM_AUTHENTICATE > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): domain: > sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): user: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): service: sudo > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): ruser: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): rhost: > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): authtok type: 1 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): priv: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): logon name: not set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_queue_send] (0x1000): Wait queue > of user [simecek.tomas at sd-stc.cz ] is > empty, running request [0x7f841541e810] immediately. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_send] (0x0100): Trying > to resolve service 'IPA' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [get_port_status] (0x1000): Port status of > port 0 for server 'svlxxipap.linuxdomain.cz > ' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_activate_timeout] > (0x2000): Resolve timeout set to 6 seconds > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x1000): > Saving the first resolved server > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x0200): Found > address for server svlxxipap.linuxdomain.cz > : [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_resolve_callback] (0x0400): > Constructed uri 'ldap://svlxxipap.linuxdomain.cz > ' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sss_krb5_realm_has_proxy] (0x0040): > profile_get_values failed. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Setting up > signal handler up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Signal > handler set up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [write_pipe_handler] (0x0400): All data has > been sent! > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.getDomains on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_subdomains] (0x0400): Got get > subdomains [SD-STC] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 38 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 38 > timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 38 > finished > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTFlatName] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTTrustDirection] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 39 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 39 > timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=sd-stc.cz ,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTFlatName] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTTrustDirection] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 39 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_subdom_is_member_dom] (0x0400): 4th > component is not 'trust', not a member domain > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_subdom_get_forest] (0x2000): The > forest name is sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_subdom_store] (0x0200): Trust > direction of sd-stc.cz is trust direction not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_deref_search_with_filter_send] > (0x2000): Server supports OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_search_send] (0x0400): > Dereferencing entry [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP > deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 40 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 40 > timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_parse_entry] (0x0400): Got > deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_parse_entry] (0x0400): All > deref results from a single control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x2000): > Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 40 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_get_view_name_done] (0x0400): No view > found, using default. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_get_view_name_done] (0x0400): Found > view name [default]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [get_subdomains_callback] (0x0400): Backend > returned: (0, 0, ) [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [read_pipe_handler] (0x0400): EOF received, > client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][3][40]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][-1073741822][24]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][-1073741823][32]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): TGT > times are [1468220118][1468220118][1468256118][1468306518]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][6][8]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0100): Marking port > 0 of server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [set_server_common_status] (0x0100): > Marking server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0400): Marking port > 0 of duplicate server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [check_wait_queue] (0x1000): Wait queue for > user [simecek.tomas at sd-stc.cz ] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_queue_done] (0x1000): > krb5_auth_queue request [0x7f841541e810] done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 0, ) [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [0][sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent > result [0][sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x1000): Waiting for > child [30821]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x0100): child [30821] > finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_account_info] (0x0200): Got request > for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 41 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 41 > timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841542ea90], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 41 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x0400): Executing > extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x2000): > ldap_extended_operation sent, msgid = 42 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 42 > timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_done] (0x0400): > ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 42 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x0400): Executing > extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_send] (0x2000): > ldap_extended_operation sent, msgid = 43 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 43 > timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_exop_done] (0x0400): > ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 43 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_save_objects] (0x2000): Updating > memberships for simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0080): > ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0400): Error: 2 > (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_update_members_ex] (0x0020): Could > not add member [simecek.tomas at sd-stc.cz > ] to group > [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz > ,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_s2n_save_objects] (0x2000): Updating > memberships for simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0080): > ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_mod_group_member] (0x0400): Error: 2 > (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_update_members_ex] (0x0020): Could > not add member [simecek.tomas at sd-stc.cz > ] to group > [name=simecek.tomas at sd-stc.cz > ,cn=groups,cn=sd-stc.cz > ,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [acctinfo_callback] (0x0100): Request > processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler] (0x0100): Got request with > the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): command: > PAM_ACCT_MGMT > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): domain: > sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): user: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): ruser: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_access_send] (0x0400): Performing > access check for user [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_account_expired_rhds] (0x0400): > Performing RHDS access check for user [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_account_expired] (0x0400): IPA access > control succeeded, checking AD access control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_account_expired_ad] (0x0400): > Performing AD access check for user [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 44 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 44 > timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x2000): > Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 44 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_has_deref_support] (0x0400): The > server supports deref method OpenLDAP > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_deref_search_send] (0x2000): Server > supports OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_search_send] (0x0400): > Dereferencing entry [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with [no > filter][fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 45 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 45 > timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_parse_entry] (0x0400): Got > deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_deref] (0x1000): Dereferenced > DN: > ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_deref] (0x1000): Dereferenced > DN: > ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_deref] (0x1000): Dereferenced > DN: > ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_parse_entry] (0x0400): All > deref results from a single control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x2000): > Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 45 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hostgroup_info_done] (0x0200): No host > groups were dereferenced > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_service_info_next] (0x0400): > Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 46 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 46 > timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x2000): > Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 46 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_servicegroup_info_next] (0x0400): > Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 47 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 47 > timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x2000): > Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 47 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_rule_info_next] (0x0400): Sending > request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_print_server] (0x2000): Searching > 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [serviceCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [sourceHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [sourceHostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [externalHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [hostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 48 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_add] (0x2000): New operation 48 > timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_entry] (0x1000): OriginalDN: > [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], > ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_op_finished] (0x2000): > Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_op_destructor] (0x2000): Operation 48 > finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_attrs_to_rule] (0x1000): Processing > rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x1000): > Processing users for rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): Search users > with filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_groups] (0x2000): Search > groups with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x2000): Added > POSIX group [grpunixadmins] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x1000): > Processing PAM services for rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [login] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sshd] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_thost_attrs_to_rule] (0x1000): > Processing target hosts for rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x2000): Added > host [spcss-2t-www.linuxdomain.cz > ] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x1000): > [fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x0400): > Processing source hosts for rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x2000): Source > hosts disabled, setting ALL > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): [7] > groups for [simecek.tomas at sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): Added > group [grpunixadmins] for user [simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_evaluate_rules] (0x0080): Access > denied by HBAC rules > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 6, ) [Success (Permission denied)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [6][sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent > result [6][sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_message_handler] (0x2000): Received > SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler] (0x0100): Got request with > the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): command: > SSS_PAM_PREAUTH > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): domain: > sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): user: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): ruser: > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_queue_send] (0x1000): Wait queue > of user [simecek.tomas at sd-stc.cz ] is > empty, running request [0x7f8415414ac0] immediately. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_send] (0x0100): Trying > to resolve service 'IPA' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [get_port_status] (0x1000): Port status of > port 0 for server 'svlxxipap.linuxdomain.cz > ' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_activate_timeout] > (0x2000): Resolve timeout set to 6 seconds > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x1000): > Saving the first resolved server > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x0200): Found > address for server svlxxipap.linuxdomain.cz > : [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_resolve_callback] (0x0400): > Constructed uri 'ldap://svlxxipap.linuxdomain.cz > ' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sss_krb5_realm_has_proxy] (0x0040): > profile_get_values failed. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Setting up > signal handler up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Signal > handler set up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [write_pipe_handler] (0x0400): All data has > been sent! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x1000): Waiting for > child [30822]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x0100): child [30822] > finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [read_pipe_handler] (0x0400): EOF received, > client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0100): Marking port > 0 of server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [set_server_common_status] (0x0100): > Marking server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0400): Marking port > 0 of duplicate server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_store_creds] (0x0010): > unsupported PAM command [249]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_store_creds] (0x0010): password > not available, offline auth may not work. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [check_wait_queue] (0x1000): Wait queue for > user [simecek.tomas at sd-stc.cz ] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [krb5_auth_queue_done] (0x1000): > krb5_auth_queue request [0x7f8415414ac0] done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 0, ) [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [0][sd-stc.cz ] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent > result [0][sd-stc.cz ] > > Any idea what to check next? > > Thanks a lot. > > Tomas > > > 2016-07-04 9:50 GMT+02:00 Tomas Simecek >: > > Dear freeipa users/admins, > I'm trying to implement freeipa in our company, so that our Unix > admins can authenticate on Linux servers using their Windows AD > account. > Following this guide > https://www.freeipa.org/page/Active_Directory_trust_setup it seems > to work well, they can login without problems. > What I cannot make working is sudo from their AD accounts on Linux. > > No matter what I try, it is still: > > sudo systemctl restart httpd > [sudo] password for simecek.tomas at sd-stc.cz > : > Sorry, try again. > > Here's our setup: > Freeipa server: CentOS Linux release 7.2.1511 (Core), > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > Freeipa client: the same > > AD domain name: sd-stc.cz > IPA domain: linuxdomain.cz > > When digging in logs and googling, I realized that the problem on > client side could be: > > [root at spcss-2t-www ~]# kinit -k > kinit: Cannot determine realm for host (principal host/spcss-2t-www@) > > But this seems to work: > [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ > > Password for simecek.tomas at SD-STC.CZ : > [root at spcss-2t-www ~]# klist > Default principal: simecek.tomas at SD-STC.CZ > > > Valid starting Expires Service principal > 07/04/2016 09:36:26 07/04/2016 19:36:26 > krbtgt/SD-STC.CZ at SD-STC.CZ > renew until 07/05/2016 09:36:23 > > My /etc/sssd/sssd.conf: > [domain/linuxdomain.cz ] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linuxdomain.cz > krb5_realm = LINUXDOMAIN.CZ > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = spcss-2t-www.linuxdomain.cz > > chpass_provider = ipa > ipa_server = svlxxipap.linuxdomain.cz > > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://svlxxipap.linuxdomain.cz > > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ > > ldap_sasl_realm = LINUXDOMAIN.CZ > krb5_server = svlxxipap.linuxdomain.cz > > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = linuxdomain.cz > [nss] > homedir_substring = /home > .... > > My /etc/krb5.conf: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = LINUXDOMAIN.CZ > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > > [realms] > LINUXDOMAIN.CZ = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > > [domain_realm] > .linuxdomain.cz = LINUXDOMAIN.CZ > > linuxdomain.cz = LINUXDOMAIN.CZ > > > Would you please suggest which way to investigate? > > Thanks > > Tomas Simecek > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmj at ast.cam.ac.uk Mon Jul 11 14:45:32 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Mon, 11 Jul 2016 15:45:32 +0100 Subject: [Freeipa-users] ipa-replica-prepare Certificate issuance failed In-Reply-To: <04fe73c6-11f4-df28-bb25-9c5c40b18390@ast.cam.ac.uk> References: <3babc037-5af2-9fd9-577e-3576b413a3a1@ast.cam.ac.uk> <4950e2e9-e7c7-b21c-fec7-4aeff465c1fc@redhat.com> <75a9453e-5857-cff5-2c48-12f375a52419@ast.cam.ac.uk> <768945f0-b02a-5d4c-7974-5dd6c353684f@ast.cam.ac.uk> <577E60E6.90901@redhat.com> <6ff02870-3319-7ebc-6d3c-4e857b22e457@ast.cam.ac.uk> <04fe73c6-11f4-df28-bb25-9c5c40b18390@ast.cam.ac.uk> Message-ID: <7a146556-9d59-b44a-9d7f-7795d8710002@ast.cam.ac.uk> On 08/07/16 16:49, Roderick Johnstone wrote: > On 07/07/16 18:06, Roderick Johnstone wrote: >> On 07/07/16 16:30, Petr Vobornik wrote: >>> On 07/07/2016 05:09 PM, Roderick Johnstone wrote: >>>> On 07/07/16 15:02, Rob Crittenden wrote: >>>>> Roderick Johnstone wrote: >>>>>> On 05/07/16 11:52, Roderick Johnstone wrote: >>>>>>> On 04/07/2016 15:12, Martin Babinsky wrote: >>>>>>>> On 07/04/2016 10:23 AM, Roderick Johnstone wrote: >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> I installed my first master ipa server (server1) many months ago >>>>>>>>> (Redhat >>>>>>>>> 7.1 IIRC) and made a replica server2 without problems. >>>>>>>>> >>>>>>>>> Now I'd like to bring online another replica (server3). >>>>>>>>> >>>>>>>>> All servers are now on Redhat 7.2 >>>>>>>>> ipa-server-4.2.0-15.el7_2.17.x86_64, >>>>>>>>> but I get the following error when I run this on server1: >>>>>>>>> >>>>>>>>> server1> ipa-replica-prepare server3.example.com >>>>>>>>> >>>>>>>>> Directory Manager (existing master) password: >>>>>>>>> >>>>>>>>> Preparing replica for server3.example.com from server1.example.com >>>>>>>>> Creating SSL certificate for the Directory Server >>>>>>>>> Certificate issuance failed >>>>>>>>> >>>>>>>>> >>>>>>>>> If I repeat this on server2, my fist replica, it succeeds. >>>>>>>>> >>>>>>>>> Running in debug mode on server1: >>>>>>>>> server1> ipa-replica-prepare --debug server3.example.com >>>>>>>>> gives a lot of output of which the following seems relevant (some >>>>>>>>> info >>>>>>>>> has been anonymised): >>>>>>>>> >>>>>>>>> Generating key. This may take a few moments... >>>>>>>>> >>>>>>>>> >>>>>>>>> ipa: DEBUG: request POST >>>>>>>>> https://server1.example.com:8443/ca/ee/ca/profileSubmitSSLClient >>>>>>>>> ipa: DEBUG: request body >>>>>>>>> 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=...CU24QyOEd%0A&cert_request_type=pkcs10&xmlOutput=true' >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ipa: DEBUG: NSSConnection init server1.example.com >>>>>>>>> ipa: DEBUG: Connecting: xxx.xxx.xxx.xxx:0 >>>>>>>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL >>>>>>>>> Server >>>>>>>>> ipa: DEBUG: cert valid True for >>>>>>>>> "CN=server1.example.com,O=EXAMPLE.COM" >>>>>>>>> ipa: DEBUG: handshake complete, peer = xxx.xxx.xxx.xxx:8443 >>>>>>>>> ipa: DEBUG: Protocol: TLS1.2 >>>>>>>>> ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>>>>>>> ipa: DEBUG: response status 200 >>>>>>>>> ipa: DEBUG: response headers {'date': 'Fri, 01 Jul 2016 15:13:37 >>>>>>>>> GMT', >>>>>>>>> 'content-length': '161', 'content-type': 'application/xml', >>>>>>>>> 'server': >>>>>>>>> 'Apache-Coyote/1.1'} >>>>>>>>> ipa: DEBUG: response body '>>>>>>>> standalone="no"?>1Server >>>>>>>>> Internal >>>>>>>>> Error 3' >>>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>>>>>> 171, in >>>>>>>>> execute >>>>>>>>> return_value = self.run() >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> line 337, in run >>>>>>>>> self.copy_ds_certificate() >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> line 382, in copy_ds_certificate >>>>>>>>> self.export_certdb("dscert", passwd_fname) >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> line 589, in export_certdb >>>>>>>>> db.create_server_cert(nickname, hostname, ca_db) >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>>>> line 337, in create_server_cert >>>>>>>>> cdb.issue_server_cert(self.certreq_fname, self.certder_fname) >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>>>> line 418, in issue_server_cert >>>>>>>>> raise RuntimeError("Certificate issuance failed") >>>>>>>>> >>>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: >>>>>>>>> The >>>>>>>>> ipa-replica-prepare command failed, exception: RuntimeError: >>>>>>>>> Certificate >>>>>>>>> issuance failed >>>>>>>>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: >>>>>>>>> Certificate issuance failed >>>>>>>>> >>>>>>>>> If its of relevance I did change the directory manager password on >>>>>>>>> both >>>>>>>>> server1 and server2 a couple of weeks ago. >>>>>>>>> >>>>>>>>> I'd appreciate some pointers to resolving this. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Roderick Johnstone >>>>>>>>> >>>>>>>> Hi Roderick, >>>>>>>> >>>>>>>> try to look in the logs of the pki-ca subsystem. They should be >>>>>>>> located >>>>>>>> in /var/log/pki/pki-tomcat/ca/ directory. Look into the "system" >>>>>>>> and >>>>>>>> "debug" logs mainly. >>>>>>>> >>>>>>> >>>>>>> Martin >>>>>>> >>>>>>> Thanks for the pointers. We had looked at a lot of log files, but >>>>>>> not >>>>>>> those ones! >>>>>>> >>>>>>> We were running the ipa-replica-prepare during the afternoon of 1 >>>>>>> July. >>>>>>> Here are the last few entries in the system log file. >>>>>>> >>>>>>> 0.profileChangeMonitor - [24/Jun/2016:04:45:51 BST] [8] [3] In Ldap >>>>>>> (bound) connection pool to host server1.example.com port 636, Cannot >>>>>>> connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error >>>>>>> creating JSS SSL Socket (-1) >>>>>>> 0.CRLIssuingPoint-MasterCRL - [01/Jul/2016:10:26:04 BST] [3] [3] >>>>>>> CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the >>>>>>> internaldb. Error LDAP operation failure - >>>>>>> cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca >>>>>>> netscape.ldap.LDAPException: error result (1) >>>>>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:16:04:58 BST] [3] [3] Could >>>>>>> not >>>>>>> store certificate serial number 0x1 >>>>>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:16:07:18 BST] [3] [3] Could >>>>>>> not >>>>>>> store certificate serial number 0x2 >>>>>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:16:13:37 BST] [3] [3] Could >>>>>>> not >>>>>>> store certificate serial number 0x3 >>>>>>> 0.http-bio-8443-exec-4 - [01/Jul/2016:17:07:01 BST] [3] [3] Could >>>>>>> not >>>>>>> store certificate serial number 0x1 >>>>>>> 0.http-bio-8443-exec-6 - [01/Jul/2016:17:28:35 BST] [3] [3] Could >>>>>>> not >>>>>>> store certificate serial number 0x2 >>>>>>> 0.http-bio-8443-exec-8 - [01/Jul/2016:17:56:02 BST] [3] [3] Could >>>>>>> not >>>>>>> store certificate serial number 0x3 >>>>>>> >>>>>>> >>>>>>> At corresponding times, in the debug logs there are entries like: >>>>>>> >>>>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: LDAP operation >>>>>>> failure - >>>>>>> cn=1,ou=certificateRepository, ou=ca, o=ipaca >>>>>>> netscape.ldap.LDAPException: error result (68) >>>>>>> >>>>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: CertRequestSubmitter: >>>>>>> submit LDAP operation failure - cn=1,ou=certificateRepository, >>>>>>> ou=ca, >>>>>>> o=ipaca netscape.ldap.LDAPException: error result (68) >>>>>>> >>>>>>> [01/Jul/2016:16:04:58][http-bio-8443-exec-4]: >>>>>>> SignedAuditEventFactory: >>>>>>> create() >>>>>>> message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=ipara][Outcome=Failure][ReqID=1][InfoName=rejectReason][InfoValue=Server >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Internal Error] certificate request processed >>>>>>> >>>>>>> And then in the dirsrv error file there seems to be one of these for >>>>>>> each of the attempts to run ipa-replica-prepare: >>>>>>> [01/Jul/2016:16:04:57 +0100] - Entry >>>>>>> "uid=admin,ou=people,o=ipaca" -- >>>>>>> attribute "krbExtraData" not allowed >>>>>>> [01/Jul/2016:16:07:16 +0100] - Entry >>>>>>> "uid=admin,ou=people,o=ipaca" -- >>>>>>> attribute "krbExtraData" not allowed >>>>>>> [01/Jul/2016:16:13:36 +0100] - Entry >>>>>>> "uid=admin,ou=people,o=ipaca" -- >>>>>>> attribute "krbExtraData" not allowed >>>>>>> >>>>>>> Do you think this is looking like the root cause? Can you suggest >>>>>>> how we >>>>>>> fix that? >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> Roderick >>>>>>> >>>>>> >>>>>> Hi >>>>>> >>>>>> Did anyone have any ideas on fixing this please. I'm a bit stuck now. >>>>> >>>>> When you changed the DM passwords did you follow this, >>>>> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >>>>> >>>>> rob >>>> >>>> Hi Rob >>>> >>>> Well, yes, but I did nothing because I read that page to say that >>>> nothing needed doing becuase our server was on freeipa 4.2.0 (Redhat >>>> 7.2) and the procedure is automated for that version freeipa 3.3.2. >>>> >>>> Did I misunderstand that? >>>> >>>> Roderick >>>> >>> >> >> Hi Petr >> >>> Roderick, could you attach also snipped of dirsrv access log around the >>> time you see the "attribute "krbExtraData" not allowed" error? >> >> Would it be ok to send you this off-list? There is some stuff that >> identifies our domain and servers etc which I would rather not post to >> the list. >> >>> >>> After that, could you try to do step 3 of >>> http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password to >>> check if the automatic password change which is done in >>> ipa-replica-prepare failed. And if it is therefore the root cause. >>> >> >> I'm not sure if I actually need to do the first step (ldappasswd), but I >> can confirm that the second step, the ldapsearch, works if I use the new >> Directory Manager password. Is that enough to know, otherwise I can do >> the ldappasswd tomorrow (just don't want to mess with more than >> necessary now!). >> >> Thanks. >> >> Roderick >> > > Hi > > The "krbExtraData not allowed" might be a red herring since its also > present in the server2 logs where the ipa-replica-prepare worked ok. > > Back to the drawing board searching for a reason ipa-replica-prepare > fails on server1. > > Roderick > Petr Here, as requested, attached is the snippet of the dirsrv access log near the time of the first failure to run ipa-replica-prepare (16:04:57). I've anonymized it. It seems like this issue has further consequences since when enrolling new client, the following was logged to /var/log/messages: Jul 11 14:16:57 zzz.example.com certmonger: Server at https://server1.example.com/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: FAILURE (Server Internal Error)). Roderick -------------- next part -------------- [01/Jul/2016:16:04:56 +0100] conn=7972 fd=120 slot=120 connection from local to /var/run/slapd-EXAMPLE-COM.socket [01/Jul/2016:16:04:56 +0100] conn=7972 op=0 BIND dn="cn=directory manager" method=128 version=3 [01/Jul/2016:16:04:56 +0100] conn=7972 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [01/Jul/2016:16:04:56 +0100] conn=7972 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [01/Jul/2016:16:04:56 +0100] conn=7972 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:56 +0100] conn=7972 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [01/Jul/2016:16:04:56 +0100] conn=7972 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:56 +0100] conn=7972 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=example,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL [01/Jul/2016:16:04:56 +0100] conn=7972 op=3 RESULT err=0 tag=101 nentries=2 etime=0 [01/Jul/2016:16:04:56 +0100] conn=7972 op=4 UNBIND [01/Jul/2016:16:04:56 +0100] conn=7972 op=4 fd=120 closed - U1 [01/Jul/2016:16:04:56 +0100] conn=7973 fd=120 slot=120 connection from local to /var/run/slapd-EXAMPLE-COM.socket [01/Jul/2016:16:04:56 +0100] conn=7973 op=0 BIND dn="cn=directory manager" method=128 version=3 [01/Jul/2016:16:04:56 +0100] conn=7973 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [01/Jul/2016:16:04:56 +0100] conn=7973 op=1 SRCH base="cn=IPA Version Replication,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [01/Jul/2016:16:04:56 +0100] conn=7973 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:56 +0100] conn=7973 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [01/Jul/2016:16:04:56 +0100] conn=7973 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:56 +0100] conn=7973 op=3 UNBIND [01/Jul/2016:16:04:56 +0100] conn=7973 op=3 fd=120 closed - U1 [01/Jul/2016:16:04:57 +0100] conn=7974 fd=120 slot=120 connection from local to /var/run/slapd-EXAMPLE-COM.socket [01/Jul/2016:16:04:57 +0100] conn=7974 op=0 BIND dn="cn=directory manager" method=128 version=3 [01/Jul/2016:16:04:57 +0100] conn=7974 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [01/Jul/2016:16:04:57 +0100] conn=7974 op=1 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop" [01/Jul/2016:16:04:57 +0100] conn=7974 op=1 RESULT err=0 tag=120 nentries=0 etime=0 [01/Jul/2016:16:04:57 +0100] conn=7974 op=2 UNBIND [01/Jul/2016:16:04:57 +0100] conn=7974 op=2 fd=120 closed - U1 [01/Jul/2016:16:04:57 +0100] conn=7975 fd=120 slot=120 connection from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy [01/Jul/2016:16:04:57 +0100] conn=7975 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Jul/2016:16:04:57 +0100] conn=7975 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Jul/2016:16:04:57 +0100] conn=7975 TLS1.2 256-bit AES-GCM [01/Jul/2016:16:04:57 +0100] conn=7975 op=1 BIND dn="cn=Replication Manager masterAgreement1-xxx.example.com-pki-tomcat,ou=csusers,cn=config" method=128 version=3 [01/Jul/2016:16:04:57 +0100] conn=7975 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager masteragreement1-xxxx.example.com-pki-tomcat,ou=csusers,cn=config" [01/Jul/2016:16:04:57 +0100] conn=7975 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [01/Jul/2016:16:04:57 +0100] conn=7975 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:57 +0100] conn=7975 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [01/Jul/2016:16:04:57 +0100] conn=7975 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:57 +0100] conn=7975 op=4 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [01/Jul/2016:16:04:57 +0100] conn=7975 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [01/Jul/2016:16:04:57 +0100] conn=7975 op=5 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [01/Jul/2016:16:04:57 +0100] conn=7975 op=5 RESULT err=0 tag=120 nentries=0 etime=0 [01/Jul/2016:16:04:58 +0100] conn=16 op=947 SRCH base="cn=7,ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [01/Jul/2016:16:04:58 +0100] conn=16 op=947 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:58 +0100] conn=17 op=3 SRCH base="ou=People,o=ipaca" scope=2 filter="(description=2;7;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM)" attrs=ALL [01/Jul/2016:16:04:58 +0100] conn=17 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:58 +0100] conn=17 op=4 SRCH base="cn=Registration Manager Agents,ou=groups,o=ipaca" scope=0 filter="(uniqueMember=uid=ipara,ou=people,o=ipaca)" attrs="cn" [01/Jul/2016:16:04:58 +0100] conn=17 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [01/Jul/2016:16:04:58 +0100] conn=16 op=948 ADD dn="cn=1,ou=ca,ou=requests,o=ipaca" [01/Jul/2016:16:04:58 +0100] conn=16 op=948 RESULT err=68 tag=105 nentries=0 etime=0 [01/Jul/2016:16:04:58 +0100] conn=16 op=949 ADD dn="cn=1,ou=certificateRepository,ou=ca,o=ipaca" [01/Jul/2016:16:04:58 +0100] conn=16 op=949 RESULT err=68 tag=105 nentries=0 etime=0 [01/Jul/2016:16:04:58 +0100] conn=16 op=950 MOD dn="cn=1,ou=ca,ou=requests,o=ipaca" [01/Jul/2016:16:04:58 +0100] conn=16 op=950 RESULT err=0 tag=103 nentries=0 etime=0 csn=5776869b000000600000 [01/Jul/2016:16:04:59 +0100] conn=7975 op=6 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [01/Jul/2016:16:04:59 +0100] conn=7975 op=6 RESULT err=0 tag=120 nentries=0 etime=0 [01/Jul/2016:16:04:59 +0100] conn=7975 op=7 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [01/Jul/2016:16:04:59 +0100] conn=7975 op=7 RESULT err=0 tag=120 nentries=0 etime=0 From simecek.tomas at gmail.com Mon Jul 11 17:33:06 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Mon, 11 Jul 2016 19:33:06 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: <382c8fa4-6ee7-ed81-0cbf-603b5c77c7bd@redhat.com> References: <382c8fa4-6ee7-ed81-0cbf-603b5c77c7bd@redhat.com> Message-ID: Hi Justin, thanks for your response. The rule you're referring to is the rule granting AD user's group access to servers through ssh, not the sudo rule. I'm not sure why is the rule referred in logs when doing sudo. Accessing servers using AD accounts and ssh works fine. Sudo rule is called Pokusne: [root at svlxxipap ~]# ipa sudorule-show Rule name: Pokusne Rule name: Pokusne Enabled: TRUE Command category: all User Groups: grpunixadmins Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz Here I tried to run command you suggested: [root at svlxxipap ~]# ipa hbactest --user 'simecek.tomas at sd-stc.cz' --host spcss-2t-www.linuxdomain.cz --service=sudo --------------------- Access granted: False --------------------- Not matched rules: Unixari na test servery But why do we test HBAC rules when sudo is required? Sudo permission is granted through sudo rules, or am I wrong? Thanks Tomas 2016-07-11 16:44 GMT+02:00 Justin Stephenson : > Hello, > > From the logs below, it appears the failure occurs when a HBAC evaluation > is done. Can you double-check the HBAC rule 'Unixari na test servery' ? > Also, you can run the below command for testing the expected HBAC rules are > allowing/denying access > > # ipa hbactest --user ' > simecek.tomas at sd-stc.cz' --host 'hostname' --service=sudo > > ---------------------------------------------------- > > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_attrs_to_rule] (0x1000): Processing rule > [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x1000): Processing > users for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): Search users with > filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): No such entry* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_groups] (0x2000): Search groups > with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX > group [grpunixadmins] to rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x1000): > Processing PAM services for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): Added > service [login] to rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): Added > service [sshd] to rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_thost_attrs_to_rule] (0x1000): Processing > target hosts for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x2000): Added host > [spcss-2t-www.linuxdomain.cz ] to rule > [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x1000): > [fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x0400): Processing > source hosts for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x2000): Source > hosts disabled, setting ALL* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): [7] groups > for [simecek.tomas at sd-stc.cz ]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): Added group > [grpunixadmins] for user [simecek.tomas at sd-stc.cz > ]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_evaluate_rules] (0x0080): Access > denied by HBAC rules* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 6, ) [Success (Permission denied)]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [6][sd-stc.cz ]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent result > [6][sd-stc.cz ]* > > > Kind regards, > > Justin Stephenson > On 07/11/2016 03:04 AM, Tomas Simecek wrote: > > Hi all, > thanks and sorry for my late answer again. I am new to mailing lists and > I assumed noone is respnding when mails are not coming. > I did not know I have to check on the website. > > I have enabled sssd_sudo log and here are outputs from sssd_sudo.log and > sssd_linuxdomain.cz.log when trying sudo again: > sssd_sudo.log: > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [ simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [ simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\ <20users at sd-stc.cz> > 20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz > )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [@sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [ simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [ simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [ simecek.tomas at sd-stc.cz] > from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\ <20users at sd-stc.cz> > 20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz > )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\ <20users at sd-stc.cz> > 20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz > )(sudoUser=+*)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): > Sorting rules with higher-wins logic > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > Received SBUS method org.freedesktop.sssd.service.ping on path > /org/freedesktop/sssd/service > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > > Looking at it with my untrained eye gives no clue what could be wrong. > > Here is sssd_linuxdomain.cz.log from the same moment: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for > [0x1002][1][name=grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 32 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 32 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): Members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be > processed individually > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 33 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 33 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and > setting GID=0! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Processing group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x2000): This is a posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes > of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20160629090835Z] to attributes of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): The group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): Group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Storing info for group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. > [0][Success] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Processing group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x2000): This is not a posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to > attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20160629090835Z] to attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Storing info for group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Processing group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Adding member users to group [grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_fill_memberships] (0x1000): member #0 > (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): > [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Processing group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): No members for group [ad_admins_external] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] > (0x2000): No external members, done(Mon Jul 11 08:55:14 2016) [sssd[be[ > linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default > Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 34 timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543e380], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543e380], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 34 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 35 timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cece0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 35 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 36 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 36 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841540fe90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841540fe90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 36 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 37 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 37 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84154511d0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84154511d0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 37 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: SSS_PAM_PREAUTH > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running > request [0x7f8415414ac0] immediately. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [ > simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] > done. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30820]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30820] finished successfully. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: PAM_AUTHENTICATE > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 1 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running > request [0x7f841541e810] immediately. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getDomains on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] > (0x0400): Got get subdomains [SD-STC] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 38 timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 38 finished > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustDirection] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 39 timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTFlatName] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustDirection] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 39 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a > member domain > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] > (0x0200): Trust direction of sd-stc.cz is trust direction not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP > deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 40 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 40 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 40 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_get_view_name_done] (0x0400): No view found, using default. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_get_view_name_done] (0x0400): Found view name [default]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][3][40]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): TGT times are > [1468220118][1468220118][1468256118][1468306518]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][6][8]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [ > simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f841541e810] > done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30821]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30821] finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 41 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 41 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542ea90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 41 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 42 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 42 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415458f80], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415458f80], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 42 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 43 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 43 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841544d770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841544d770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 43 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] > (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD > access control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 44 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543ecb0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543ecb0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 44 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= > spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 45 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 45 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 45 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 46 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 46 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 46 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 47 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 47 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 47 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= > spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= > spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 48 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 48 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 48 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na > test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to > rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_host_attrs_to_rule] (0x2000): Added host [ > spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x1000): [7] groups for [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) > [Success (Permission denied)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: SSS_PAM_PREAUTH > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running > request [0x7f8415414ac0] immediately. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30822]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30822] finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [ > simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] > done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > > Any idea what to check next? > > Thanks a lot. > > Tomas > > > 2016-07-04 9:50 GMT+02:00 Tomas Simecek : > >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our Unix admins >> can authenticate on Linux servers using their Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >> work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for simecek.tomas at sd-stc.cz: >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the problem on client >> side could be: >> >> [root at spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >> >> But this seems to work: >> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ >> Password for simecek.tomas at SD-STC.CZ: >> [root at spcss-2t-www ~]# klist >> Default principal: simecek.tomas at SD-STC.CZ >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/ >> SD-STC.CZ at SD-STC.CZ >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> .... >> >> My /etc/krb5.conf: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = LINUXDOMAIN.CZ >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> [realms] >> LINUXDOMAIN.CZ = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> >> [domain_realm] >> .linuxdomain.cz = LINUXDOMAIN.CZ >> linuxdomain.cz = LINUXDOMAIN.CZ >> >> Would you please suggest which way to investigate? >> >> Thanks >> >> Tomas Simecek >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Mon Jul 11 17:34:23 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Mon, 11 Jul 2016 19:34:23 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: Message-ID: Hi Danila, [root at spcss-2t-www ~]# rpm -qa |grep sssd sssd-common-pac-1.13.0-40.el7_2.9.x86_64 sssd-ldap-1.13.0-40.el7_2.9.x86_64 python-sssdconfig-1.13.0-40.el7_2.9.noarch sssd-client-1.13.0-40.el7_2.9.x86_64 sssd-ipa-1.13.0-40.el7_2.9.x86_64 sssd-proxy-1.13.0-40.el7_2.9.x86_64 sssd-common-1.13.0-40.el7_2.9.x86_64 sssd-ad-1.13.0-40.el7_2.9.x86_64 sssd-1.13.0-40.el7_2.9.x86_64 sssd-krb5-common-1.13.0-40.el7_2.9.x86_64 sssd-krb5-1.13.0-40.el7_2.9.x86_64 T. 2016-07-11 14:57 GMT+02:00 Danila Ladner : > What version of sssd are you running? > > On Mon, Jul 11, 2016 at 3:04 AM, Tomas Simecek > wrote: > >> Hi all, >> thanks and sorry for my late answer again. I am new to mailing lists and >> I assumed noone is respnding when mails are not coming. >> I did not know I have to check on the website. >> >> I have enabled sssd_sudo log and here are outputs from sssd_sudo.log and >> sssd_linuxdomain.cz.log when trying sudo again: >> sssd_sudo.log: >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): >> Client connected! >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Received client version [1]. >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Offered version [1]. >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >> protocol version [1] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> sd-stc.cz', user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> sd-stc.cz', user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >> Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> Returning info for user [simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >> simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >> 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz >> )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% >> account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About to get sudo rules from cache >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(name=defaults)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >> [@sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >> protocol version [1] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> sd-stc.cz', user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> sd-stc.cz', user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >> Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> Returning info for user [simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >> simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >> 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz >> )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% >> account at sd-stc.cz)(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About to get sudo rules from cache >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= >> simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >> 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz >> )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% >> account at sd-stc.cz)(sudoUser=+*)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): >> Sorting rules with higher-wins logic >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ >> simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >> Received SBUS method org.freedesktop.sssd.service.ping on path >> /org/freedesktop/sssd/service >> (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] >> (0x2000): Not a sysbus message, quit >> >> Looking at it with my untrained eye gives no clue what could be wrong. >> >> Here is sssd_linuxdomain.cz.log from the same moment: >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_get_account_info] (0x0200): Got request for >> [0x1002][1][name=grpunixadmins] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [linuxdomain.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_groups_next_base] (0x0400): Searching for groups with base >> [cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >> [ipaNTSecurityIdentifier] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 32 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [gidNumber] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [member] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 32 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_process_send] (0x2000): About to process group >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_users] (0x2000): Search users with filter: >> (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_users] (0x2000): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_groups] (0x2000): Search groups with filter: >> (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_process_send] (0x2000): Members of group >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be >> processed individually >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >> [ipaNTSecurityIdentifier] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 33 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f8415450e50], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f8415450e50], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f8415450e50], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 33 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and >> setting GID=0! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_process_send] (0x2000): About to process group >> [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_recv] (0x0400): 0 users found in the hash table >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_primary_name] (0x0400): Processing object grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] >> (0x0400): Processing group grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] >> (0x2000): This is a posix group >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes >> of [grpunixadmins]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp >> [20160629090835Z] to attributes of [grpunixadmins]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_ghost_members] (0x0400): The group has 1 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_ghost_members] (0x0400): Group has 1 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] >> (0x0400): Storing info for group grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. >> [0][Success] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_primary_name] (0x0400): Processing object ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] >> (0x0400): Processing group ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] >> (0x2000): This is not a posix group >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN >> [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to >> attributes of [ad_admins_external]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp >> [20160629090835Z] to attributes of [ad_admins_external]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_ghost_members] (0x0400): The group has 0 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_ghost_members] (0x0400): Group has 0 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] >> (0x0400): Storing info for group ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_primary_name] (0x0400): Processing object grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] >> (0x0400): Processing group grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] >> (0x0400): Adding member users to group [grpunixadmins] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_fill_memberships] (0x1000): member #0 >> (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): >> [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_primary_name] (0x0400): Processing object ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] >> (0x0400): Processing group ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] >> (0x0400): Failed to get group sid >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] >> (0x0400): No members for group [ad_admins_external] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] >> (0x2000): No external members, done(Mon Jul 11 08:55:14 2016) [sssd[be[ >> linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default >> Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 34 timeout 60 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543e380], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543e380], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 34 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success >> (Success) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust >> View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 35 timeout 60 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cece0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 35 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x0400): Executing extended operation >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 36 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 36 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841540fe90], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841540fe90], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), >> (null). >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 36 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_by_name] (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x0400): Executing extended operation >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 37 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 37 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84154511d0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84154511d0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), >> (null). >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 37 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_save_objects] (0x2000): Updating memberships for >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >> object](32)[ldb_wait: No such object (32)] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_update_members_ex] (0x0020): Could not add member [ >> simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_save_objects] (0x2000): Updating memberships for >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >> object](32)[ldb_wait: No such object (32)] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_update_members_ex] (0x0020): Could not add member [ >> simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success >> (Success) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.pamHandler on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] >> (0x0100): Got request with the following data >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): command: SSS_PAM_PREAUTH >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): domain: sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): user: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): service: sudo >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): ruser: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): rhost: >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): authtok type: 0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): newauthtok type: 0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): priv: 0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): logon name: not set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_queue_send] (0x1000): Wait queue of user [ >> simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] >> immediately. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' >> is 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] >> (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is >> 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 >> seconds >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' >> is 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_resolve_server_process] (0x1000): Saving the first resolved server >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_resolve_server_process] (0x0200): Found address for server >> svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// >> svlxxipap.linuxdomain.cz' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [child_handler_setup] (0x2000): Setting up signal handler up for pid [30820] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [child_handler_setup] (0x2000): Signal handler set up for pid [30820] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [write_pipe_handler] (0x0400): All data has been sent! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [read_pipe_handler] (0x0400): EOF received, client finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [fo_set_port_status] (0x0100): Marking port 0 of server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [set_server_common_status] (0x0100): Marking server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_store_creds] (0x0010): password not available, offline auth may >> not work. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] >> (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] >> done. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) >> [Success (Success)] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [child_sig_handler] (0x1000): Waiting for child [30820]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] >> [child_sig_handler] (0x0100): child [30820] finished successfully. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.pamHandler on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [sd-stc.cz] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] >> (0x0100): Got request with the following data >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): command: PAM_AUTHENTICATE >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): domain: sd-stc.cz >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): user: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): service: sudo >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): ruser: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): rhost: >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): authtok type: 1 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): newauthtok type: 0 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): priv: 0 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): logon name: not set >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_queue_send] (0x1000): Wait queue of user [ >> simecek.tomas at sd-stc.cz] is empty, running request [0x7f841541e810] >> immediately. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' >> is 'working' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] >> (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is >> 'working' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 >> seconds >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' >> is 'working' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [be_resolve_server_process] (0x1000): Saving the first resolved server >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [be_resolve_server_process] (0x0200): Found address for server >> svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// >> svlxxipap.linuxdomain.cz' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [child_handler_setup] (0x2000): Setting up signal handler up for pid [30821] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [child_handler_setup] (0x2000): Signal handler set up for pid [30821] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [write_pipe_handler] (0x0400): All data has been sent! >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.getDomains on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [be_get_subdomains] (0x0400): Got get subdomains [SD-STC] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >> [ipaSecondaryBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >> [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 38 timeout 6 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841542c770], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectClass] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaBaseID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaSecondaryBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaIDRangeSize] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaRangeType] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841542c770], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectClass] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaBaseID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaIDRangeSize] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaRangeType] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841542c770], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 38 finished >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >> [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >> [ipaNTTrustDirection] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 39 timeout 6 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: [cn=sd-stc.cz >> ,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaNTFlatName] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaNTTrustDirection] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 39 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a >> member domain >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] >> (0x0200): Trust direction of sd-stc.cz is trust direction not set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP >> deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_x_deref_search_send] (0x0400): Dereferencing entry >> [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz >> ))][cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 40 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 40 timeout 6 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_x_deref_parse_entry] (0x0400): Got deref control >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_x_deref_parse_entry] (0x0400): All deref results from a single >> control parsed >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f84153cc180], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 40 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_get_view_name_done] (0x0400): No view found, using default. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_get_view_name_done] (0x0400): Found view name [default]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) >> [Success (Success)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [read_pipe_handler] (0x0400): EOF received, client finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [parse_krb5_child_response] (0x1000): child response [0][3][40]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [parse_krb5_child_response] (0x1000): TGT times are >> [1468220118][1468220118][1468256118][1468306518]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [parse_krb5_child_response] (0x1000): child response [0][6][8]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [fo_set_port_status] (0x0100): Marking port 0 of server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [set_server_common_status] (0x0100): Marking server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] >> (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f841541e810] >> done. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) >> [Success (Success)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [child_sig_handler] (0x1000): Waiting for child [30821]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [child_sig_handler] (0x0100): child [30821] finished successfully. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust >> View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 41 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 41 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841542ea90], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 41 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x0400): Executing extended operation >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 42 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 42 timeout 6 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f8415458f80], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f8415458f80], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), >> (null). >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 42 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_by_name] (0x0400): No such entry >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x0400): Executing extended operation >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 43 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 43 timeout 6 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841544d770], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841544d770], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), >> (null). >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 43 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_save_objects] (0x2000): Updating memberships for >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >> object](32)[ldb_wait: No such object (32)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_update_members_ex] (0x0020): Could not add member [ >> simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_s2n_save_objects] (0x2000): Updating memberships for >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >> object](32)[ldb_wait: No such object (32)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_update_members_ex] (0x0020): Could not add member [ >> simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success >> (Success) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.pamHandler on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] >> (0x0100): Got request with the following data >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): command: PAM_ACCT_MGMT >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): domain: sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): user: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): service: sudo >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): ruser: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): rhost: >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): authtok type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): newauthtok type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): priv: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): logon name: not set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] >> (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user >> [simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD >> access control >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ >> simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz >> ))][cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 44 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543ecb0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [fqdn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [serverHostname] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaSshPubKey] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaUniqueID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543ecb0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 44 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= >> spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] >> using OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no >> filter][fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 45 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 45 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_x_deref_parse_entry] (0x0400): Got deref control >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] >> (0x1000): Dereferenced DN: >> ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] >> (0x1000): Dereferenced DN: >> ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] >> (0x1000): Dereferenced DN: >> ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_x_deref_parse_entry] (0x0400): All deref results from a single >> control parsed >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 45 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_hbac_service_info_next] (0x0400): Sending request for next search >> base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 46 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 46 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 46 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search >> base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 47 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 47 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841543f610], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 47 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: >> [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= >> spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >> [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= >> spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 48 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] >> (0x2000): New operation 48 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841545aab0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841545aab0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] >> (0x1000): OriginalDN: >> [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [ipaenabledflag] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [accessRuleType] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberUser] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberService] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] >> (0x2000): No sub-attributes for [memberHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[0x7f841545aab0], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >> errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_get_generic_op_finished] (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_op_destructor] (0x2000): Operation 48 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na >> test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_users] (0x2000): Search users with filter: >> (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_users] (0x2000): No such entry >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sysdb_search_groups] (0x2000): Search groups with filter: >> (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to >> rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule >> [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule >> [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule >> [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule >> [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_host_attrs_to_rule] (0x2000): Added host [ >> spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] >> does not map to either a host or hostgroup. Skipping >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule >> [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x1000): [7] groups for [ >> simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x2000): Skipping non-group memberOf >> [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x2000): Skipping non-group memberOf >> [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x2000): Skipping non-group memberOf >> [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x2000): Skipping non-group memberOf >> [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x2000): Skipping non-group memberOf >> [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x2000): Skipping non-group memberOf >> [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ >> simecek.tomas at sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) >> [Success (Permission denied)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], >> ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.pamHandler on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_req_set_domain] (0x0400): Changing request domain from [ >> linuxdomain.cz] to [sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] >> (0x0100): Got request with the following data >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): command: SSS_PAM_PREAUTH >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): domain: sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): user: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): service: sudo >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): ruser: simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): rhost: >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): authtok type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): newauthtok type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): priv: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] >> (0x0100): logon name: not set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_queue_send] (0x1000): Wait queue of user [ >> simecek.tomas at sd-stc.cz] is empty, running request [0x7f8415414ac0] >> immediately. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' >> is 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] >> (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is >> 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 >> seconds >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' >> is 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_resolve_server_process] (0x1000): Saving the first resolved server >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_resolve_server_process] (0x0200): Found address for server >> svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// >> svlxxipap.linuxdomain.cz' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [child_handler_setup] (0x2000): Setting up signal handler up for pid [30822] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [child_handler_setup] (0x2000): Signal handler set up for pid [30822] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [write_pipe_handler] (0x0400): All data has been sent! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [child_sig_handler] (0x1000): Waiting for child [30822]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [child_sig_handler] (0x0100): child [30822] finished successfully. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [read_pipe_handler] (0x0400): EOF received, client finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [fo_set_port_status] (0x0100): Marking port 0 of server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [set_server_common_status] (0x0100): Marking server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' >> svlxxipap.linuxdomain.cz' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_store_creds] (0x0010): password not available, offline auth may >> not work. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] >> (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] >> done. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) >> [Success (Success)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] >> [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] >> >> Any idea what to check next? >> >> Thanks a lot. >> >> Tomas >> >> >> 2016-07-04 9:50 GMT+02:00 Tomas Simecek : >> >>> Dear freeipa users/admins, >>> I'm trying to implement freeipa in our company, so that our Unix admins >>> can authenticate on Linux servers using their Windows AD account. >>> Following this guide >>> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >>> work well, they can login without problems. >>> What I cannot make working is sudo from their AD accounts on Linux. >>> >>> No matter what I try, it is still: >>> >>> sudo systemctl restart httpd >>> [sudo] password for simecek.tomas at sd-stc.cz: >>> Sorry, try again. >>> >>> Here's our setup: >>> Freeipa server: CentOS Linux release 7.2.1511 (Core), >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> Freeipa client: the same >>> >>> AD domain name: sd-stc.cz >>> IPA domain: linuxdomain.cz >>> >>> When digging in logs and googling, I realized that the problem on client >>> side could be: >>> >>> [root at spcss-2t-www ~]# kinit -k >>> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >>> >>> But this seems to work: >>> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ >>> Password for simecek.tomas at SD-STC.CZ: >>> [root at spcss-2t-www ~]# klist >>> Default principal: simecek.tomas at SD-STC.CZ >>> >>> Valid starting Expires Service principal >>> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/SD-STC.CZ at SD-STC.CZ >>> renew until 07/05/2016 09:36:23 >>> >>> My /etc/sssd/sssd.conf: >>> [domain/linuxdomain.cz] >>> >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = linuxdomain.cz >>> krb5_realm = LINUXDOMAIN.CZ >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> ipa_hostname = spcss-2t-www.linuxdomain.cz >>> chpass_provider = ipa >>> ipa_server = svlxxipap.linuxdomain.cz >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> override_shell = /bin/bash >>> sudo_provider = ldap >>> ldap_uri = ldap://svlxxipap.linuxdomain.cz >>> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >>> ldap_sasl_mech = GSSAPI >>> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ >>> ldap_sasl_realm = LINUXDOMAIN.CZ >>> krb5_server = svlxxipap.linuxdomain.cz >>> >>> [sssd] >>> services = nss, sudo, pam, ssh >>> config_file_version = 2 >>> >>> domains = linuxdomain.cz >>> [nss] >>> homedir_substring = /home >>> .... >>> >>> My /etc/krb5.conf: >>> #File modified by ipa-client-install >>> >>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>> >>> [libdefaults] >>> default_realm = LINUXDOMAIN.CZ >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> udp_preference_limit = 0 >>> default_ccache_name = KEYRING:persistent:%{uid} >>> >>> >>> [realms] >>> LINUXDOMAIN.CZ = { >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> } >>> >>> >>> [domain_realm] >>> .linuxdomain.cz = LINUXDOMAIN.CZ >>> linuxdomain.cz = LINUXDOMAIN.CZ >>> >>> Would you please suggest which way to investigate? >>> >>> Thanks >>> >>> Tomas Simecek >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Mon Jul 11 17:46:18 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Mon, 11 Jul 2016 19:46:18 +0200 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: <382c8fa4-6ee7-ed81-0cbf-603b5c77c7bd@redhat.com> References: <382c8fa4-6ee7-ed81-0cbf-603b5c77c7bd@redhat.com> Message-ID: OK, thanks Justin, problem solved :-) I have re-checked the HBAC rule you mentioned and I noticed I can add "sudo" to services. When I added, it suddenly works. I'm idiot. I thought that's why we have sudo rules in IPA. Thank you big time! Tomas 2016-07-11 16:44 GMT+02:00 Justin Stephenson : > Hello, > > From the logs below, it appears the failure occurs when a HBAC evaluation > is done. Can you double-check the HBAC rule 'Unixari na test servery' ? > Also, you can run the below command for testing the expected HBAC rules are > allowing/denying access > > # ipa hbactest --user ' > simecek.tomas at sd-stc.cz' --host 'hostname' --service=sudo > > ---------------------------------------------------- > > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_attrs_to_rule] (0x1000): Processing rule > [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x1000): Processing > users for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): Search users with > filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): No such entry* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_groups] (0x2000): Search groups > with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX > group [grpunixadmins] to rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x1000): > Processing PAM services for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): Added > service [login] to rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): Added > service [sshd] to rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_thost_attrs_to_rule] (0x1000): Processing > target hosts for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x2000): Added host > [spcss-2t-www.linuxdomain.cz ] to rule > [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x1000): > [fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x0400): Processing > source hosts for rule [Unixari na test servery]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x2000): Source > hosts disabled, setting ALL* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): [7] groups > for [simecek.tomas at sd-stc.cz ]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): Skipping > non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): Added group > [grpunixadmins] for user [simecek.tomas at sd-stc.cz > ]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_evaluate_rules] (0x0080): Access > denied by HBAC rules* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 6, ) [Success (Permission denied)]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [6][sd-stc.cz ]* > *(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent result > [6][sd-stc.cz ]* > > > Kind regards, > > Justin Stephenson > On 07/11/2016 03:04 AM, Tomas Simecek wrote: > > Hi all, > thanks and sorry for my late answer again. I am new to mailing lists and > I assumed noone is respnding when mails are not coming. > I did not know I have to check on the website. > > I have enabled sssd_sudo log and here are outputs from sssd_sudo.log and > sssd_linuxdomain.cz.log when trying sudo again: > sssd_sudo.log: > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [ simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [ simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\ <20users at sd-stc.cz> > 20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz > )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [@sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name ' simecek.tomas at sd-stc.cz' > matched expression for domain 'sd-stc.cz', user is simecek.tomas > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [ simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [ simecek.tomas at sd-stc.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [ simecek.tomas at sd-stc.cz] > from [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\ <20users at sd-stc.cz> > 20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz > )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About to get sudo rules from cache > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain\ <20users at sd-stc.cz> > 20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz > )(sudoUser=+*)))] > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): > Sorting rules with higher-wins logic > (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > Received SBUS method org.freedesktop.sssd.service.ping on path > /org/freedesktop/sssd/service > (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > > Looking at it with my untrained eye gives no clue what could be wrong. > > Here is sssd_linuxdomain.cz.log from the same moment: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for > [0x1002][1][name=grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [linuxdomain.cz > ] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 32 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 32 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): Members of group > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] will be > processed individually > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 33 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415450e50], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 33 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and > setting GID=0! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_nested_group_recv] (0x0400): 2 groups found in the hash table > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Processing group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x2000): This is a posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to attributes > of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20160629090835Z] to attributes of [grpunixadmins]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): The group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): Group has 1 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Storing info for group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. > [0][Success] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Processing group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x2000): This is not a posix group > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to > attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20160629090835Z] to attributes of [ad_admins_external]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_group] > (0x0400): Storing info for group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Processing group grpunixadmins > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Adding member users to group [grpunixadmins] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_fill_memberships] (0x1000): member #0 > (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): > [name=ad_admins_external,cn=groups,cn=linuxdomain.cz,cn=sysdb] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_primary_name] (0x0400): Processing object ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Processing group ad_admins_external > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_save_grpmem] > (0x0400): No members for group [ad_admins_external] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_nested_done] > (0x2000): No external members, done(Mon Jul 11 08:55:14 2016) [sssd[be[ > linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default > Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 34 timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543e380], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543e380], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 34 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 35 timeout 60 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cece0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 35 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 36 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 36 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841540fe90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841540fe90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 36 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 37 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 37 timeout 6 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84154511d0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84154511d0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 37 finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: SSS_PAM_PREAUTH > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running > request [0x7f8415414ac0] immediately. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30820] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [ > simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] > done. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30820]. > (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30820] finished successfully. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: PAM_AUTHENTICATE > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 1 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running > request [0x7f841541e810] immediately. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30821] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getDomains on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] > (0x0400): Got get subdomains [SD-STC] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 38 timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaBaseRID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaIDRangeSize] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaRangeType] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542c770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 38 finished > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustDirection] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 39 timeout 6 > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTFlatName] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaNTTrustDirection] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 39 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a > member domain > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] > (0x0200): Trust direction of sd-stc.cz is trust direction not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP > deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 40 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 40 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f84153cc180], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 40 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_get_view_name_done] (0x0400): No view found, using default. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_get_view_name_done] (0x0400): Found view name [default]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][3][40]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): TGT times are > [1468220118][1468220118][1468256118][1468306518]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [parse_krb5_child_response] (0x1000): child response [0][6][8]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [ > simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f841541e810] > done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30821]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30821] finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_get_account_info] (0x0200): Got request for [0x3][1][name=simecek.tomas] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust > View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 41 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 41 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841542ea90], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 41 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 42 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 42 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415458f80], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f8415458f80], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 42 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_by_name] (0x0400): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] > (0x2000): ldap_extended_operation sent, msgid = 43 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 43 timeout 6 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841544d770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841544d770], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 43 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_update_members_ex] (0x0020): Could not add member [ > simecek.tomas at sd-stc.cz] to group [name= > simecek.tomas at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: PAM_ACCT_MGMT > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] > (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD > access control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 44 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543ecb0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [fqdn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [serverHostname] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaSshPubKey] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543ecb0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 44 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= > spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > using OpenLDAP deref > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 45 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 45 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] > (0x1000): Dereferenced DN: > ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 45 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 46 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 46 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 46 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 47 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 47 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841543f610], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 47 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= > spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] > (0x2000): Searching 10.1.123.103 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= > spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 48 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] > (0x2000): New operation 48 timeout 60 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: > [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectclass] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipauniqueid] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaenabledflag] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [accessRuleType] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberUser] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberService] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberHost] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[0x7f841545aab0], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_op_destructor] (0x2000): Operation 48 finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na > test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_users] (0x2000): No such entry > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to > rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_host_attrs_to_rule] (0x2000): Added host [ > spcss-2t-www.linuxdomain.cz] to rule [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_host_attrs_to_rule] (0x1000): [fqdn=zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [Unixari na test servery] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x1000): [7] groups for [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x2000): Skipping non-group memberOf > [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ > simecek.tomas at sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) > [Success (Permission denied)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [6][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [6][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: sh[0x7f8415400af0], connected[1], > ops[(nil)], ldap[0x7f8415405dc0] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_message_handler] (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler on path > /org/freedesktop/sssd/dataprovider > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] > (0x0100): Got request with the following data > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): command: SSS_PAM_PREAUTH > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): domain: sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): user: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): service: sudo > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): tty: /dev/pts/0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): ruser: simecek.tomas at sd-stc.cz > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): rhost: > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): authtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): priv: 0 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): cli_pid: 30819 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] > (0x0100): logon name: not set > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_send] (0x1000): Wait queue of user [ > simecek.tomas at sd-stc.cz] is empty, running > request [0x7f8415414ac0] immediately. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] > (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is > 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] > (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_resolve_server_process] (0x0200): Found address for server > svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1028 > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > svlxxipap.linuxdomain.cz' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [30822] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x1000): Waiting for child [30822]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] > (0x0100): child [30822] finished successfully. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0100): Marking port 0 of server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [set_server_common_status] (0x0100): Marking server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > svlxxipap.linuxdomain.cz' as 'working' > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_store_creds] (0x0010): password not available, offline auth may > not work. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] > (0x1000): Wait queue for user [ > simecek.tomas at sd-stc.cz] is empty. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f8415414ac0] > done. > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success (Success)] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] > (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz]]] > [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] > > Any idea what to check next? > > Thanks a lot. > > Tomas > > > 2016-07-04 9:50 GMT+02:00 Tomas Simecek : > >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our Unix admins >> can authenticate on Linux servers using their Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to >> work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for simecek.tomas at sd-stc.cz: >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the problem on client >> side could be: >> >> [root at spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal host/spcss-2t-www@) >> >> But this seems to work: >> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ >> Password for simecek.tomas at SD-STC.CZ: >> [root at spcss-2t-www ~]# klist >> Default principal: simecek.tomas at SD-STC.CZ >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 krbtgt/ >> SD-STC.CZ at SD-STC.CZ >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> .... >> >> My /etc/krb5.conf: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = LINUXDOMAIN.CZ >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> [realms] >> LINUXDOMAIN.CZ = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> >> [domain_realm] >> .linuxdomain.cz = LINUXDOMAIN.CZ >> linuxdomain.cz = LINUXDOMAIN.CZ >> >> Would you please suggest which way to investigate? >> >> Thanks >> >> Tomas Simecek >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jstephen at redhat.com Mon Jul 11 17:53:08 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Mon, 11 Jul 2016 13:53:08 -0400 Subject: [Freeipa-users] Freeipa and sudo In-Reply-To: References: <382c8fa4-6ee7-ed81-0cbf-603b5c77c7bd@redhat.com> Message-ID: <8555214b-9c9e-2a24-0219-78a4b6759902@redhat.com> Great, glad to hear it is working for you. -Justin On 07/11/2016 01:46 PM, Tomas Simecek wrote: > OK, > thanks Justin, problem solved :-) > I have re-checked the HBAC rule you mentioned and I noticed I can add > "sudo" to services. > When I added, it suddenly works. I'm idiot. > I thought that's why we have sudo rules in IPA. > > Thank you big time! > > Tomas > > 2016-07-11 16:44 GMT+02:00 Justin Stephenson >: > > Hello, > > From the logs below, it appears the failure occurs when a HBAC > evaluation is done. Can you double-check the HBAC rule 'Unixari na > test servery' ? Also, you can run the below command for testing > the expected HBAC rules are allowing/denying access > > # ipa hbactest --user 'simecek.tomas at sd-stc.cz > ' --host 'hostname' --service=sudo > > ---------------------------------------------------- > > /(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_attrs_to_rule] (0x1000): > Processing rule [Unixari na test servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x1000): > Processing users for rule [Unixari na test servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): > Search users with filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): No > such entry// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_groups] (0x2000): > Search groups with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz))// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x2000): > Added POSIX group [grpunixadmins] to rule [Unixari na test > servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] > (0x1000): Processing PAM services for rule [Unixari na test > servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] > (0x2000): Added service [login] to rule [Unixari na test > servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] > (0x2000): Added service [sshd] to rule [Unixari na test servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_thost_attrs_to_rule] > (0x1000): Processing target hosts for rule [Unixari na test > servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x2000): > Added host [spcss-2t-www.linuxdomain.cz > ] to rule [Unixari na test > servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x1000): > [fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] > (0x0400): Processing source hosts for rule [Unixari na test > servery]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] > (0x2000): Source hosts disabled, setting ALL// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): > [7] groups for [simecek.tomas at sd-stc.cz > ]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): > Skipping non-group memberOf > [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): > Skipping non-group memberOf > [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): > Skipping non-group memberOf > [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): > Skipping non-group memberOf > [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): > Skipping non-group memberOf > [CN=central_DG,CN=Users,DC=sd-stc,DC=cz]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x2000): > Skipping non-group memberOf > [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): > Added group [grpunixadmins] for user [simecek.tomas at sd-stc.cz > ]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_evaluate_rules] (0x0080): > Access denied by HBAC rules// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): > Backend returned: (0, 6, ) [Success (Permission denied)]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): > Sending result [6][sd-stc.cz ]// > //(Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): > Sent result [6][sd-stc.cz ]/ > > > Kind regards, > > Justin Stephenson > > On 07/11/2016 03:04 AM, Tomas Simecek wrote: >> Hi all, >> thanks and sorry for my late answer again. I am new to mailing >> lists and I assumed noone is respnding when mails are not coming. >> I did not know I have to check on the website. >> >> I have enabled sssd_sudo log and here are outputs from >> sssd_sudo.log and sssd_linuxdomain.cz.log when trying sudo again: >> sssd_sudo.log: >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [accept_fd_handler] >> (0x0400): Client connected! >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] >> (0x0200): Received client version [1]. >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_cmd_get_version] >> (0x0200): Offered version [1]. >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): >> Using protocol version [1] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sss_parse_name_for_domains] (0x0200): name >> 'simecek.tomas at sd-stc.cz ' >> matched expression for domain 'sd-stc.cz ', >> user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sss_parse_name_for_domains] (0x0200): name >> 'simecek.tomas at sd-stc.cz ' >> matched expression for domain 'sd-stc.cz ', >> user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_cmd_parse_query_done] (0x0200): Requesting default >> options for [simecek.tomas] from [sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] >> (0x2000): Checking negative cache for >> [NCE/USER/sd-stc.cz/simecek.tomas ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] >> (0x0200): Requesting info about [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] >> (0x0400): Returning info for user [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] >> (0x0400): Retrieving default options for [simecek.tomas at sd-stc.cz >> ] from [sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sysdb_search_group_by_gid] (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=simecek.tomas at sd-stc.cz >> )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz >> )(sudoUser=%unixadmins at sd-stc.cz >> )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz >> )(sudoUser=%account at sd-stc.cz >> )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] >> (0x2000): About to get sudo rules from cache >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> with [(&(objectClass=sudoRule)(|(name=defaults)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules >> for [@sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): >> Using protocol version [1] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sss_parse_name_for_domains] (0x0200): name >> 'simecek.tomas at sd-stc.cz ' >> matched expression for domain 'sd-stc.cz ', >> user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sss_parse_name_for_domains] (0x0200): name >> 'simecek.tomas at sd-stc.cz ' >> matched expression for domain 'sd-stc.cz ', >> user is simecek.tomas >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for >> [simecek.tomas] from [sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sss_ncache_check_str] >> (0x2000): Checking negative cache for >> [NCE/USER/sd-stc.cz/simecek.tomas ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] >> (0x0200): Requesting info about [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_user] >> (0x0400): Returning info for user [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] >> (0x0400): Retrieving rules for [simecek.tomas at sd-stc.cz >> ] from [sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sysdb_search_group_by_gid] (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=simecek.tomas at sd-stc.cz >> )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz >> )(sudoUser=%unixadmins at sd-stc.cz >> )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz >> )(sudoUser=%account at sd-stc.cz >> )(sudoUser=+*))(&(dataExpireTimestamp<=1468220114)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sudosrv_get_rules] >> (0x2000): About to get sudo rules from cache >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sysdb_search_group_by_gid] (0x0400): No such entry >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb >> with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz >> )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz >> )(sudoUser=%unixadmins at sd-stc.cz >> )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz >> )(sudoUser=%account at sd-stc.cz >> )(sudoUser=+*)))] >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] [sort_sudo_rules] >> (0x0400): Sorting rules with higher-wins logic >> (Mon Jul 11 08:55:14 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules >> for [simecek.tomas at sd-stc.cz ] >> (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_message_handler] >> (0x2000): Received SBUS method org.freedesktop.sssd.service.ping >> on path /org/freedesktop/sssd/service >> (Mon Jul 11 08:55:21 2016) [sssd[sudo]] [sbus_get_sender_id_send] >> (0x2000): Not a sysbus message, quit >> >> Looking at it with my untrained eye gives no clue what could be >> wrong. >> >> Here is sssd_linuxdomain.cz.log from the same moment: >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_get_account_info] (0x0200): Got >> request for [0x1002][1][name=grpunixadmins] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [linuxdomain.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_groups_next_base] (0x0400): >> Searching for groups with base [cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(cn=grpunixadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [posixGroup] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [userPassword] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [gidNumber] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [member] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaNTSecurityIdentifier] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 32 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 32 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [gidNumber] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [member] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaNTSecurityIdentifier] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 32 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_groups_process] (0x0400): >> Search for groups, returned 1 results. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_has_deref_support] (0x0400): The >> server supports deref method OpenLDAP >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_process_send] >> (0x2000): About to process group >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_users] (0x2000): Search >> users with filter: >> (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_users] (0x2000): No such >> entry >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_groups] (0x2000): Search >> groups with filter: >> (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_process_send] >> (0x2000): Looking up 1/1 members of group >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_process_send] >> (0x2000): Members of group >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> will be processed individually >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [posixGroup] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [userPassword] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [gidNumber] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [member] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaNTSecurityIdentifier] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 33 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 33 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectClass] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaUniqueID] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [modifyTimestamp] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [entryUSN] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f8415450e50], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 33 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_hash_group] >> (0x2000): Marking group as non-posix and setting GID=0! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_process_send] >> (0x2000): About to process group >> [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_recv] (0x0400): 0 >> users found in the hash table >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_group_recv] (0x0400): 2 >> groups found in the hash table >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_primary_name] (0x0400): >> Processing object grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_group] (0x0400): Processing >> group grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_group] (0x2000): This is a >> posix group >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_attrs_add_ldap_attr] (0x2000): >> Adding original DN >> [cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] to >> attributes of [grpunixadmins]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_attrs_add_ldap_attr] (0x2000): >> Adding original mod-Timestamp [20160629090835Z] to attributes of >> [grpunixadmins]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_ghost_members] (0x0400): >> The group has 1 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_ghost_members] (0x0400): >> Group has 1 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_group] (0x0400): Storing >> info for group grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_attrs_get_sid_str] (0x1000): No >> [objectSIDString] attribute. [0][Success] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_primary_name] (0x0400): >> Processing object ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_group] (0x0400): Processing >> group ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_group] (0x2000): This is >> not a posix group >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_attrs_add_ldap_attr] (0x2000): >> Adding original DN >> [cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz] >> to attributes of [ad_admins_external]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_attrs_add_ldap_attr] (0x2000): >> Adding original mod-Timestamp [20160629090835Z] to attributes of >> [ad_admins_external]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_ghost_members] (0x0400): >> The group has 0 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_ghost_members] (0x0400): >> Group has 0 members >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_group] (0x0400): Storing >> info for group ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_primary_name] (0x0400): >> Processing object grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_grpmem] (0x0400): >> Processing group grpunixadmins >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_grpmem] (0x0400): Adding >> member users to group [grpunixadmins] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_fill_memberships] (0x1000): >> member #0 >> (cn=ad_admins_external,cn=groups,cn=accounts,dc=linuxdomain,dc=cz): >> [name=ad_admins_external,cn=groups,cn=linuxdomain.cz >> ,cn=sysdb] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_primary_name] (0x0400): >> Processing object ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_grpmem] (0x0400): >> Processing group ad_admins_external >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_grpmem] (0x0400): Failed to >> get group sid >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_save_grpmem] (0x0400): No >> members for group [ad_admins_external] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_nested_done] (0x2000): No >> external members, done(Mon Jul 11 08:55:14 2016) >> [sssd[be[linuxdomain.cz ]]] >> [sdap_print_server] (0x2000): Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:linuxdomain.cz:1f46c9d8-3c33-11e6-9653-005056961bfa))][cn=Default >> Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 34 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 34 timeout 60 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543e380], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 34 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [acctinfo_callback] (0x0100): Request >> processed. Returned 0,0,Success (Success) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_get_account_info] (0x0200): Got >> request for [0x3][1][name=simecek.tomas] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default >> Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 35 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 35 timeout 60 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cece0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 35 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x0400): >> Executing extended operation >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x2000): >> ldap_extended_operation sent, msgid = 36 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 36 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841540fe90], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_done] (0x0400): >> ldap_extended_operation result: Success(0), (null). >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 36 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_by_name] (0x0400): No >> such entry >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x0400): >> Executing extended operation >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x2000): >> ldap_extended_operation sent, msgid = 37 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 37 timeout 6 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84154511d0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_done] (0x0400): >> ldap_extended_operation result: Success(0), (null). >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 37 finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_save_objects] (0x2000): >> Updating memberships for simecek.tomas at sd-stc.cz >> >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0080): >> ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0400): >> Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_update_members_ex] (0x0020): >> Could not add member [simecek.tomas at sd-stc.cz >> ] to group >> [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz >> ,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_save_objects] (0x2000): >> Updating memberships for simecek.tomas at sd-stc.cz >> >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0080): >> ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0400): >> Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_update_members_ex] (0x0020): >> Could not add member [simecek.tomas at sd-stc.cz >> ] to group >> [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz >> ,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [acctinfo_callback] (0x0100): Request >> processed. Returned 0,0,Success (Success) >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler >> on path /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler] (0x0100): Got request >> with the following data >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): command: >> SSS_PAM_PREAUTH >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): domain: >> sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): user: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): service: sudo >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): ruser: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): rhost: >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): authtok type: 0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): newauthtok >> type: 0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): priv: 0 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): logon name: >> not set >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_queue_send] (0x1000): Wait >> queue of user [simecek.tomas at sd-stc.cz >> ] is empty, running request >> [0x7f8415414ac0] immediately. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_resolve_service_send] (0x0100): >> Trying to resolve service 'IPA' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [get_server_status] (0x1000): Status >> of server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [get_port_status] (0x1000): Port >> status of port 0 for server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_resolve_service_activate_timeout] >> (0x2000): Resolve timeout set to 6 seconds >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [get_server_status] (0x1000): Status >> of server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_resolve_server_process] (0x1000): >> Saving the first resolved server >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_resolve_server_process] (0x0200): >> Found address for server svlxxipap.linuxdomain.cz >> : [10.1.123.103] TTL 1028 >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_resolve_callback] (0x0400): >> Constructed uri 'ldap://svlxxipap.linuxdomain.cz >> ' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [sss_krb5_realm_has_proxy] (0x0040): >> profile_get_values failed. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [child_handler_setup] (0x2000): >> Setting up signal handler up for pid [30820] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [child_handler_setup] (0x2000): Signal >> handler set up for pid [30820] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [write_pipe_handler] (0x0400): All >> data has been sent! >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [read_pipe_handler] (0x0400): EOF >> received, client finished >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_set_port_status] (0x0100): Marking >> port 0 of server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [set_server_common_status] (0x0100): >> Marking server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_set_port_status] (0x0400): Marking >> port 0 of duplicate server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_store_creds] (0x0010): >> unsupported PAM command [249]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_store_creds] (0x0010): >> password not available, offline auth may not work. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [check_wait_queue] (0x1000): Wait >> queue for user [simecek.tomas at sd-stc.cz >> ] is empty. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_queue_done] (0x1000): >> krb5_auth_queue request [0x7f8415414ac0] done. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Backend returned: (0, 0, ) [Success (Success)] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sending result [0][sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sent result [0][sd-stc.cz ] >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [child_sig_handler] (0x1000): Waiting >> for child [30820]. >> (Mon Jul 11 08:55:14 2016) [sssd[be[linuxdomain.cz >> ]]] [child_sig_handler] (0x0100): child >> [30820] finished successfully. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler >> on path /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [sd-stc.cz ] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler] (0x0100): Got request >> with the following data >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): command: >> PAM_AUTHENTICATE >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): domain: >> sd-stc.cz >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): user: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): service: sudo >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): ruser: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): rhost: >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): authtok type: 1 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): newauthtok >> type: 0 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): priv: 0 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): logon name: >> not set >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_queue_send] (0x1000): Wait >> queue of user [simecek.tomas at sd-stc.cz >> ] is empty, running request >> [0x7f841541e810] immediately. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_resolve_service_send] (0x0100): >> Trying to resolve service 'IPA' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [get_server_status] (0x1000): Status >> of server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [get_port_status] (0x1000): Port >> status of port 0 for server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_resolve_service_activate_timeout] >> (0x2000): Resolve timeout set to 6 seconds >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [get_server_status] (0x1000): Status >> of server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [be_resolve_server_process] (0x1000): >> Saving the first resolved server >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [be_resolve_server_process] (0x0200): >> Found address for server svlxxipap.linuxdomain.cz >> : [10.1.123.103] TTL 1028 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_resolve_callback] (0x0400): >> Constructed uri 'ldap://svlxxipap.linuxdomain.cz >> ' >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sss_krb5_realm_has_proxy] (0x0040): >> profile_get_values failed. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [child_handler_setup] (0x2000): >> Setting up signal handler up for pid [30821] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [child_handler_setup] (0x2000): Signal >> handler set up for pid [30821] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [write_pipe_handler] (0x0400): All >> data has been sent! >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method org.freedesktop.sssd.dataprovider.getDomains >> on path /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [be_get_subdomains] (0x0400): Got get >> subdomains [SD-STC] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaBaseID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaSecondaryBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaIDRangeSize] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaRangeType] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 38 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 38 timeout 6 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectClass] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaBaseID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaSecondaryBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaIDRangeSize] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaRangeType] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectClass] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaBaseID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaBaseRID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaIDRangeSize] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaRangeType] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841542c770], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 38 finished >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaNTFlatName] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaNTTrustDirection] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 39 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 39 timeout 6 >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:18 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=sd-stc.cz >> ,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaNTFlatName] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaNTTrustedDomainSID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaNTTrustDirection] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 39 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_subdom_is_member_dom] (0x0400): >> 4th component is not 'trust', not a member domain >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_subdom_get_forest] (0x2000): The >> forest name is sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_subdom_store] (0x0200): Trust >> direction of sd-stc.cz is trust direction not set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_deref_search_with_filter_send] >> (0x2000): Server supports OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_x_deref_search_send] (0x0400): >> Dereferencing entry [cn=accounts,dc=linuxdomain,dc=cz] using >> OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz >> ))][cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 40 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 40 timeout 6 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_x_deref_parse_entry] (0x0400): >> Got deref control >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_x_deref_parse_entry] (0x0400): >> All deref results from a single control parsed >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f84153cc180], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 40 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_get_view_name_done] (0x0400): No >> view found, using default. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_get_view_name_done] (0x0400): >> Found view name [default]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [get_subdomains_callback] (0x0400): >> Backend returned: (0, 0, ) [Success (Success)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [read_pipe_handler] (0x0400): EOF >> received, client finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [parse_krb5_child_response] (0x1000): >> child response [0][3][40]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [parse_krb5_child_response] (0x1000): >> child response [0][-1073741822][24]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [parse_krb5_child_response] (0x1000): >> child response [0][-1073741823][32]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [parse_krb5_child_response] (0x1000): >> TGT times are [1468220118][1468220118][1468256118][1468306518]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [parse_krb5_child_response] (0x1000): >> child response [0][6][8]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_set_port_status] (0x0100): Marking >> port 0 of server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [set_server_common_status] (0x0100): >> Marking server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_set_port_status] (0x0400): Marking >> port 0 of duplicate server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [check_wait_queue] (0x1000): Wait >> queue for user [simecek.tomas at sd-stc.cz >> ] is empty. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_queue_done] (0x1000): >> krb5_auth_queue request [0x7f841541e810] done. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Backend returned: (0, 0, ) [Success (Success)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sending result [0][sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sent result [0][sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [child_sig_handler] (0x1000): Waiting >> for child [30821]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [child_sig_handler] (0x0100): child >> [30821] finished successfully. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_get_account_info] (0x0200): Got >> request for [0x3][1][name=simecek.tomas] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default >> Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 41 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 41 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841542ea90], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 41 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x0400): >> Executing extended operation >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x2000): >> ldap_extended_operation sent, msgid = 42 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 42 timeout 6 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f8415458f80], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_done] (0x0400): >> ldap_extended_operation result: Success(0), (null). >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 42 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_by_name] (0x0400): No >> such entry >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x0400): >> Executing extended operation >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_send] (0x2000): >> ldap_extended_operation sent, msgid = 43 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 43 timeout 6 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841544d770], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_exop_done] (0x0400): >> ldap_extended_operation result: Success(0), (null). >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 43 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_save_objects] (0x2000): >> Updating memberships for simecek.tomas at sd-stc.cz >> >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0080): >> ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0400): >> Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_update_members_ex] (0x0020): >> Could not add member [simecek.tomas at sd-stc.cz >> ] to group >> [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz >> ,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_s2n_save_objects] (0x2000): >> Updating memberships for simecek.tomas at sd-stc.cz >> >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0080): >> ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_mod_group_member] (0x0400): >> Error: 2 (No such file or directory) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_update_members_ex] (0x0020): >> Could not add member [simecek.tomas at sd-stc.cz >> ] to group >> [name=simecek.tomas at sd-stc.cz >> ,cn=groups,cn=sd-stc.cz >> ,cn=sysdb]. Skipping. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [acctinfo_callback] (0x0100): Request >> processed. Returned 0,0,Success (Success) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler >> on path /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler] (0x0100): Got request >> with the following data >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): command: >> PAM_ACCT_MGMT >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): domain: >> sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): user: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): service: sudo >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): ruser: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): rhost: >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): authtok type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): newauthtok >> type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): priv: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): logon name: >> not set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_access_send] (0x0400): >> Performing access check for user [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_account_expired_rhds] (0x0400): >> Performing RHDS access check for user [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_account_expired] (0x0400): IPA >> access control succeeded, checking AD access control >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_account_expired_ad] (0x0400): >> Performing AD access check for user [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(objectClass=ipaHost)(fqdn=spcss-2t-www.linuxdomain.cz >> ))][cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [fqdn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [serverHostname] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaSshPubKey] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 44 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 44 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [fqdn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [serverHostname] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaSshPubKey] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaUniqueID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543ecb0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 44 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_has_deref_support] (0x0400): The >> server supports deref method OpenLDAP >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_deref_search_send] (0x2000): >> Server supports OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_x_deref_search_send] (0x0400): >> Dereferencing entry [fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] >> using OpenLDAP deref >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with [no >> filter][fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectClass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaUniqueID] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 45 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 45 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_x_deref_parse_entry] (0x0400): >> Got deref control >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_deref] (0x1000): >> Dereferenced DN: >> ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_deref] (0x1000): >> Dereferenced DN: >> ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_deref] (0x1000): >> Dereferenced DN: >> ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_x_deref_parse_entry] (0x0400): >> All deref results from a single control parsed >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 45 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_hostgroup_info_done] (0x0200): No >> host groups were dereferenced >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_hbac_service_info_next] (0x0400): >> Sending request for next search base: >> [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 46 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 46 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 46 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_hbac_servicegroup_info_next] >> (0x0400): Sending request for next search base: >> [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberOf] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 47 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 47 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [member] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841543f610], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 47 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_hbac_rule_info_next] (0x0400): >> Sending request for next search base: >> [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_print_server] (0x2000): >> Searching 10.1.123.103 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x0400): >> calling ldap_search_ext with >> [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=spcss-2t-www.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=51215b28-3dd0-11e6-b387-005056961bfa,cn=ng,cn=alt,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [ipaenabledflag] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [accessRuleType] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberUser] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [userCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberService] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [serviceCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [sourceHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [sourceHostCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [externalHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [memberHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x1000): >> Requesting attrs: [hostCategory] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_ext_step] (0x2000): >> ldap_search_ext called, msgid = 48 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_add] (0x2000): New operation >> 48 timeout 60 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_entry] (0x1000): >> OriginalDN: >> [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [objectclass] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [cn] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipauniqueid] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [ipaenabledflag] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [accessRuleType] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberUser] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberService] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_parse_range] (0x2000): No >> sub-attributes for [memberHost] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[0x7f841545aab0], >> ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x0400): Search result: Success(0), no errmsg set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_get_generic_op_finished] >> (0x2000): Total count [0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_op_destructor] (0x2000): >> Operation 48 finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_attrs_to_rule] (0x1000): >> Processing rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_user_attrs_to_rule] (0x1000): >> Processing users for rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_users] (0x2000): Search >> users with filter: >> (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_users] (0x2000): No such >> entry >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sysdb_search_groups] (0x2000): Search >> groups with filter: >> (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_user_attrs_to_rule] (0x2000): >> Added POSIX group [grpunixadmins] to rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_service_attrs_to_rule] (0x1000): >> Processing PAM services for rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_service_attrs_to_rule] (0x2000): >> Added service [login] to rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_service_attrs_to_rule] (0x2000): >> Added service [sshd] to rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_thost_attrs_to_rule] (0x1000): >> Processing target hosts for rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_host_attrs_to_rule] (0x2000): >> Added host [spcss-2t-www.linuxdomain.cz >> ] to rule [Unixari na test >> servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_host_attrs_to_rule] (0x1000): >> [fqdn=zp-cml-test.linuxdomain.cz >> ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] >> does not map to either a host or hostgroup. Skipping >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_shost_attrs_to_rule] (0x0400): >> Processing source hosts for rule [Unixari na test servery] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_shost_attrs_to_rule] (0x2000): >> Source hosts disabled, setting ALL >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x1000): [7] >> groups for [simecek.tomas at sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x2000): >> Skipping non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x2000): >> Skipping non-group memberOf >> [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x2000): >> Skipping non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x2000): >> Skipping non-group memberOf >> [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x2000): >> Skipping non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x2000): >> Skipping non-group memberOf >> [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [hbac_eval_user_element] (0x1000): >> Added group [grpunixadmins] for user [simecek.tomas at sd-stc.cz >> ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_hbac_evaluate_rules] (0x0080): >> Access denied by HBAC rules >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Backend returned: (0, 6, ) [Success (Permission denied)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sending result [6][sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sent result [6][sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> sh[0x7f8415400af0], connected[1], ops[(nil)], ldap[0x7f8415405dc0] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sdap_process_result] (0x2000): Trace: >> ldap_result found nothing! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_message_handler] (0x2000): >> Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler >> on path /org/freedesktop/sssd/dataprovider >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sbus_get_sender_id_send] (0x2000): >> Not a sysbus message, quit >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_req_set_domain] (0x0400): Changing >> request domain from [linuxdomain.cz ] to >> [sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler] (0x0100): Got request >> with the following data >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): command: >> SSS_PAM_PREAUTH >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): domain: >> sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): user: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): service: sudo >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): ruser: >> simecek.tomas at sd-stc.cz >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): rhost: >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): authtok type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): newauthtok >> type: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): priv: 0 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): cli_pid: 30819 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [pam_print_data] (0x0100): logon name: >> not set >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_queue_send] (0x1000): Wait >> queue of user [simecek.tomas at sd-stc.cz >> ] is empty, running request >> [0x7f8415414ac0] immediately. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_resolve_service_send] (0x0100): >> Trying to resolve service 'IPA' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [get_server_status] (0x1000): Status >> of server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [get_port_status] (0x1000): Port >> status of port 0 for server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_resolve_service_activate_timeout] >> (0x2000): Resolve timeout set to 6 seconds >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [get_server_status] (0x1000): Status >> of server 'svlxxipap.linuxdomain.cz >> ' is 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_resolve_server_process] (0x1000): >> Saving the first resolved server >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_resolve_server_process] (0x0200): >> Found address for server svlxxipap.linuxdomain.cz >> : [10.1.123.103] TTL 1028 >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [ipa_resolve_callback] (0x0400): >> Constructed uri 'ldap://svlxxipap.linuxdomain.cz >> ' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [sss_krb5_realm_has_proxy] (0x0040): >> profile_get_values failed. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [child_handler_setup] (0x2000): >> Setting up signal handler up for pid [30822] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [child_handler_setup] (0x2000): Signal >> handler set up for pid [30822] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [write_pipe_handler] (0x0400): All >> data has been sent! >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [child_sig_handler] (0x1000): Waiting >> for child [30822]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [child_sig_handler] (0x0100): child >> [30822] finished successfully. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [read_pipe_handler] (0x0400): EOF >> received, client finished >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_set_port_status] (0x0100): Marking >> port 0 of server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [set_server_common_status] (0x0100): >> Marking server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [fo_set_port_status] (0x0400): Marking >> port 0 of duplicate server 'svlxxipap.linuxdomain.cz >> ' as 'working' >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_store_creds] (0x0010): >> unsupported PAM command [249]. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_store_creds] (0x0010): >> password not available, offline auth may not work. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [check_wait_queue] (0x1000): Wait >> queue for user [simecek.tomas at sd-stc.cz >> ] is empty. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [krb5_auth_queue_done] (0x1000): >> krb5_auth_queue request [0x7f8415414ac0] done. >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Backend returned: (0, 0, ) [Success (Success)] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sending result [0][sd-stc.cz ] >> (Mon Jul 11 08:55:19 2016) [sssd[be[linuxdomain.cz >> ]]] [be_pam_handler_callback] (0x0100): >> Sent result [0][sd-stc.cz ] >> >> Any idea what to check next? >> >> Thanks a lot. >> >> Tomas >> >> >> 2016-07-04 9:50 GMT+02:00 Tomas Simecek > >: >> >> Dear freeipa users/admins, >> I'm trying to implement freeipa in our company, so that our >> Unix admins can authenticate on Linux servers using their >> Windows AD account. >> Following this guide >> https://www.freeipa.org/page/Active_Directory_trust_setup it >> seems to work well, they can login without problems. >> What I cannot make working is sudo from their AD accounts on >> Linux. >> >> No matter what I try, it is still: >> >> sudo systemctl restart httpd >> [sudo] password for simecek.tomas at sd-stc.cz >> : >> Sorry, try again. >> >> Here's our setup: >> Freeipa server: CentOS Linux release 7.2.1511 (Core), >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> Freeipa client: the same >> >> AD domain name: sd-stc.cz >> IPA domain: linuxdomain.cz >> >> When digging in logs and googling, I realized that the >> problem on client side could be: >> >> [root at spcss-2t-www ~]# kinit -k >> kinit: Cannot determine realm for host (principal >> host/spcss-2t-www@) >> >> But this seems to work: >> [root at spcss-2t-www ~]# kinit simecek.tomas at SD-STC.CZ >> >> Password for simecek.tomas at SD-STC.CZ >> : >> [root at spcss-2t-www ~]# klist >> Default principal: simecek.tomas at SD-STC.CZ >> >> >> Valid starting Expires Service principal >> 07/04/2016 09:36:26 07/04/2016 19:36:26 >> krbtgt/SD-STC.CZ at SD-STC.CZ >> renew until 07/05/2016 09:36:23 >> >> My /etc/sssd/sssd.conf: >> [domain/linuxdomain.cz ] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linuxdomain.cz >> krb5_realm = LINUXDOMAIN.CZ >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = spcss-2t-www.linuxdomain.cz >> >> chpass_provider = ipa >> ipa_server = svlxxipap.linuxdomain.cz >> >> ldap_tls_cacert = /etc/ipa/ca.crt >> override_shell = /bin/bash >> sudo_provider = ldap >> ldap_uri = ldap://svlxxipap.linuxdomain.cz >> >> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = >> host/spcss-2t-www.linuxdomain.cz at LINUXDOMAIN.CZ >> >> ldap_sasl_realm = LINUXDOMAIN.CZ >> krb5_server = svlxxipap.linuxdomain.cz >> >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = linuxdomain.cz >> [nss] >> homedir_substring = /home >> .... >> >> My /etc/krb5.conf: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = LINUXDOMAIN.CZ >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> >> [realms] >> LINUXDOMAIN.CZ = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> >> [domain_realm] >> .linuxdomain.cz = LINUXDOMAIN.CZ >> >> linuxdomain.cz = LINUXDOMAIN.CZ >> >> >> Would you please suggest which way to investigate? >> >> Thanks >> >> Tomas Simecek >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From larry.rosen at JDRSolutions.com Fri Jul 8 16:29:34 2016 From: larry.rosen at JDRSolutions.com (Larry Rosen) Date: Fri, 8 Jul 2016 16:29:34 +0000 Subject: [Freeipa-users] Creating roles tutorial/how-to Message-ID: <79B7CEE400C91A4C9FD8BF082D8226072092D3@JDRPDC.JDRSolutions.local> I want a role the user snapmgr belongs to that can add, delete snapon group member users and reset/change their passwords and unlock their accounts When I login as snapmgr and attempt to reset the password of user snaptestuser1 (member of snapon group), it fails with "Insufficient access: Insufficient access rights". What did I miss? What are the minimum permission effective attribs are needed to be checked? OK, so I created: 1) A user snapmgr to the be group manager, able to reset passwords of snapon users (members of the snapon group) 2) A role named snapon-manage, and assigned user snapmgr as the member user 3) A privilege named snapon_management_privileges 4) A permission named snap_user_passwd, assigned to the snapon_management_privileges privilege, which is assigned to the snapon-manage role PERMISSION SETTINGS: Bind rule type: x permission Granted rights: x read x write x add x delete x all TARGET: Type: user Tagret DN: blank Member of group: snapon Effective attributes: x description x ipasshpubkey x homedirectory x userpassword x krbprincipalname x krblastadminunlock Larry Rosen - Linux System Administrator JDR Solutions, Inc 8606 Allisonville Road, Suite 245 Indianapolis, IN 46250 www.jdrsolutions.com From larry.rosen at JDRSolutions.com Fri Jul 8 17:50:06 2016 From: larry.rosen at JDRSolutions.com (Larry Rosen) Date: Fri, 8 Jul 2016 17:50:06 +0000 Subject: [Freeipa-users] Creating roles tutorial/how-to In-Reply-To: <5776F285.9070800@redhat.com> References: <79B7CEE400C91A4C9FD8BF082D822607204D52@JDRPDC.JDRSolutions.local> <5776F285.9070800@redhat.com> Message-ID: <79B7CEE400C91A4C9FD8BF082D822607209455@JDRPDC.JDRSolutions.local> Thanks, I had those parts figured out. I have a basic role/user working. My next questions are: When or why would I need to specify a Target DN or Extra target filter? I don't think any are necessary for this role that has this permission to work since I specified the group (member of group) it can target. -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, July 01, 2016 6:45 PM To: Larry Rosen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Creating roles tutorial/how-to Larry Rosen wrote: > Are there any tutorials/how to's to guide how to create roles? The > docs simply go through filling out the forms, but is there any > resource about how roles are generally used and the required relationships? > > This is the closest thing I have found: > http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ > > I don't understand how to limit various permissions/privileges to > specific users or groups. > > I want a role to manage only the users of a certain group: i.e. a user > that can add, modify, delete user accounts and set/reset/unlock > passwords for one group. The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role. Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role. You add the privileges you want that role to have, then you add the groups you want, and that should do it. A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions. An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password. For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these. rob From lmgnid at hotmail.com Sat Jul 9 00:47:12 2016 From: lmgnid at hotmail.com (lm gnid) Date: Sat, 9 Jul 2016 00:47:12 +0000 Subject: [Freeipa-users] DNS service named in one of our IPA server cannot start Message-ID: Hello, In one of our IPA server, named service suddenly cannot start, so I followed the link bellow: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart Found some errors like bellow: ==> messages <== Jul 8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me: [root at eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM: kvno = 2 [root at eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab Keytab name: FILE:/etc/named.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM [root at eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com [root at eupreprd-ops-ipa-01 ~] [root at eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com' ...... For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"? Thanks in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: From larry.rosen at JDRSolutions.com Mon Jul 11 19:47:05 2016 From: larry.rosen at JDRSolutions.com (Larry Rosen) Date: Mon, 11 Jul 2016 19:47:05 +0000 Subject: [Freeipa-users] Role to add users fails - IPA Error 2100: ACIError Message-ID: <79B7CEE400C91A4C9FD8BF082D82260720BFA7@JDRPDC.JDRSolutions.local> Will creating a role to add users work? I created a permission to create users, but it will not allow the user to do it. I have disabled UPG Definition plugin. IPA Error 2100: ACIError Insufficient access: Could not read UPG Definition originfilter. Check your permissions. From jstephen at redhat.com Mon Jul 11 20:14:42 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Mon, 11 Jul 2016 16:14:42 -0400 Subject: [Freeipa-users] Role to add users fails - IPA Error 2100: ACIError In-Reply-To: <79B7CEE400C91A4C9FD8BF082D82260720BFA7@JDRPDC.JDRSolutions.local> References: <79B7CEE400C91A4C9FD8BF082D82260720BFA7@JDRPDC.JDRSolutions.local> Message-ID: <0da905af-9b2f-a180-f8e0-8e8b8263201f@redhat.com> A Role encompasses multiple privileges and privileges will normally have permissions linked to it, these three things are interconnected to form RBAC in IPA There are already a number of defaults that may work for you instead of creating your own, for example by default there is a role called 'User Administrator' which is assigned the privileges 'User Administrators, Group Administrators, and Stage User Administrators'. /# ipa role-show 'User Administrator'// // Role name: User Administrator// // Description: Responsible for creating Users and Groups// // Privileges: User Administrators, Group Administrators, Stage User Administrators/ - The User Administrators privilege has the following permissions: /# ipa privilege-show 'User Administrators'/ / Privilege name: User Administrators/ / Description: User Administrators/ / Permissions: System: Add User to default group, System: Add Users, System: Change User password, System: Manage User SSH Public Keys, System: Modify Users, System: Read UPG Definition, System: Read User Kerberos Login Attributes,/ / System: Remove Users, System: Unlock User, System: Manage User Certificates/ / Granting privilege to roles: User Administrator/ - The Permissions are what manipulate the underlying directory server ACI's to grant and restrict access controls. I would say use the pre-built in roles if you can by linking an IPA group to a specific role then testing. On the CLI or WebUI you can modify the custom roles as you see fit. Red Hat documentation on RBAC below: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html Kind regards, Justin Stephenson Privilege: On 07/11/2016 03:47 PM, Larry Rosen wrote: > Will creating a role to add users work? > I created a permission to create users, but it will not allow the user to do it. I have disabled UPG Definition plugin. > > IPA Error 2100: ACIError > Insufficient access: Could not read UPG Definition originfilter. Check your permissions. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Mon Jul 11 23:08:01 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Tue, 12 Jul 2016 09:08:01 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: Alex, Sumit, Which log levels would you recommend for sssd to help debug this issue? We've been using 7, but I just realised that it's not an increasing scale but bitmasked... cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11 July 2016 at 17:15, Sumit Bose wrote: > On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > > On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > > > > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > > > > > >> Hola, > > >> > > >> Centos 7, up to date. > > >> > > >> [root at linuxidm ~]# ipa --version > > >> VERSION: 4.2.0, API_VERSION: 2.156 > > >> > > >> One way trust is successfully established, can login with > > >> > > >> ssh username at domain1.com@server1.domain2.com > > >> > > >> Am testing to get HBAC to work. > > >> > > >> I've noticed that with the Allow All rule in effect, the following > set up > > >> is sufficient: > > >> > > >> add external group "ad_external" > > >> add internal group, "ad_internal", add ad_external as a group member > of > > >> ad_internal > > >> > > >> AD users can now successfully login to any server. > > >> > > >> When I tried to set up an HBAC, I couldn't get that set up to work, I > > >> needed to complete the extra step of adding AD users explicitly to the > > >> "external member" group of the external group. > > yes, this is expected you either have to add AD users or groups to the > external groups. > > > >> > > >> I also note that this seems to be explicitly user based, not group > based? > > >> IE, I can add lachlan at domain1.com to the external members of > ad_external > > >> and that works, but adding the group server_admins at domain1.com (as > seen > > >> in > > >> `id lachlan at domain1.com`) doesn't allow all members access. > > Since it looks you are using FreeIPA 4.2 you might hit > https://fedorahosted.org/freeipa/ticket/5573 . But SSSD logs, especially > the part where the HBAC rules are evaluated would help to understand the > issue better. > > > >> > > >> Does that sound correct? > > >> > > > No, it does not. > > > HBAC evaluation and external group merging/resolution is done by SSSD. > > > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs > > > that can help understanding what happens there. > > > > > > What SSSD version do you have on both IPA client and IPA server? > > > > > > > > 1.13.0 on both client and server. > > > > To be honest, we have ratcheted up the logs and it doesn't help that > much. > > We just got lots of "unsupported PAM command [249]" > > This is unrelated, I assume this happens when trying to store the hashed > password to the cache. This message is remove in newer releases. > > bye, > Sumit > > > > > Cheers > > L. > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.topping at gmail.com Tue Jul 12 01:41:07 2016 From: brian.topping at gmail.com (Brian Topping) Date: Mon, 11 Jul 2016 19:41:07 -0600 Subject: [Freeipa-users] Successful upgrade! Message-ID: <26BAA17D-A798-40F7-92BF-F6978E0F5F6A@gmail.com> Hi, this is a bit of a non-sequitur, but occasionally it can seem like the problems never end and I wanted to pass along a success story. I?m sure these happen *a lot*, just taking the time to write. About a year ago, did a `yum upgrade` to one of a servers in a 4.1.0 IPA cluster with a plan to move to 4.2.0 and it failed. Since I was 10,000 KM from the server at the time, I thought it was better not to mess with the remaining replica. It?s been a busy year and I?m the only one that uses it right now, so I didn?t worry about it too much. Today became upgrade day. First came the realization that a cluster topology requires at least two servers and I was trying to delete one of them (to re-add later). I took a guess that I could build a third server and add it to the remaining one, then remove the server that was left inconsistent after the failed upgrade. That worked and I was able to remove the inconsistent server from the cluster, uninstall IPA, upgrade the base OS, then reinstall, which also worked with no issues. The last step was to upgrade the original server that was still running from last year. For that one, I took a leap to see if I could do a straight `yum upgrade` at the command line. This time it worked, again with no issue. So there were a bunch of points there that things could have gone off the rails, but they worked smooth as silk. You all have my admiration and appreciation for all the hard work that went into that. There?s a LOT of moving parts that had to work to make that happen in a random field deployment and the fact that it did attests to the quality level you guys have reached. Bravo! In any event, I?m really tickled to get client certificates in 4.2.0 now! I?ll also try getting my VPN talking to the server through RADIUS at some point. Also great see that 4.4.0a1 is out now, congrats on that! best regards, Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From kashmancy at gmail.com Tue Jul 12 02:00:04 2016 From: kashmancy at gmail.com (Harry Kashouli) Date: Mon, 11 Jul 2016 19:00:04 -0700 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding Message-ID: Hi all, I have a freeipa server set up, and would like to access the Web UI remotely (from outside my home network). I set up a fresh Fedora 24 server install, and installed freeipa-server. - I own a domain, domain.com - The hostname of my freeipa server is hostname.subdomain.domain.com - My home network domain is subdomain.domain.com I set up a CNAME hostname.domain.com and port forwardings, and I tested this works with nginx on the same machine; I can successfully see the nginx test page. I then assumed I could do the same with the freeipa Web UI, but when I navigate to http://hostname.domain.com:, it switches to https://hostname.subdomain.domain.com:, and with the following error: "Server not found" What am I doing wrong? Thanks. -Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 12 02:56:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Jul 2016 22:56:23 -0400 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding In-Reply-To: References: Message-ID: <57845C57.8000903@redhat.com> Harry Kashouli wrote: > Hi all, > > I have a freeipa server set up, and would like to access the Web UI > remotely (from outside my home network). > > I set up a fresh Fedora 24 server install, and installed freeipa-server. > - I own a domain, domain.com > - The hostname of my freeipa server is hostname.subdomain.domain.com > > - My home network domain is subdomain.domain.com > > > I set up a CNAME hostname.domain.com and > port forwardings, and I tested this works with nginx on the same > machine; I can successfully see the nginx test page. > I then assumed I could do the same with the freeipa Web UI, but when I > navigate to http://hostname.domain.com:, it switches to > https://hostname.subdomain.domain.com:, and with the > following error: "Server not found" > > What am I doing wrong? Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting to the real name of the IPA server when it was installed. You can try tweaking this to allow both names, or to just not do the rewriting. You may have issues with Kerberos and SSL due to using a different name. You definitely don't want to use IPA over an unsecure channel. rob From sbose at redhat.com Tue Jul 12 07:42:46 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 12 Jul 2016 09:42:46 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160712074246.GB25874@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jul 12, 2016 at 09:08:01AM +1000, Lachlan Musicman wrote: > Alex, Sumit, > > Which log levels would you recommend for sssd to help debug this issue? > > We've been using 7, but I just realised that it's not an increasing scale > but bitmasked... It is both 0-9 is increasing scale while values above 16 are treated as bitmask. Please just use 9 to get all messages. bye, Sumit > > cheers > L. > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 11 July 2016 at 17:15, Sumit Bose wrote: > > > On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > > > On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > > > > > > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > > > > > > > >> Hola, > > > >> > > > >> Centos 7, up to date. > > > >> > > > >> [root at linuxidm ~]# ipa --version > > > >> VERSION: 4.2.0, API_VERSION: 2.156 > > > >> > > > >> One way trust is successfully established, can login with > > > >> > > > >> ssh username at domain1.com@server1.domain2.com > > > >> > > > >> Am testing to get HBAC to work. > > > >> > > > >> I've noticed that with the Allow All rule in effect, the following > > set up > > > >> is sufficient: > > > >> > > > >> add external group "ad_external" > > > >> add internal group, "ad_internal", add ad_external as a group member > > of > > > >> ad_internal > > > >> > > > >> AD users can now successfully login to any server. > > > >> > > > >> When I tried to set up an HBAC, I couldn't get that set up to work, I > > > >> needed to complete the extra step of adding AD users explicitly to the > > > >> "external member" group of the external group. > > > > yes, this is expected you either have to add AD users or groups to the > > external groups. > > > > > >> > > > >> I also note that this seems to be explicitly user based, not group > > based? > > > >> IE, I can add lachlan at domain1.com to the external members of > > ad_external > > > >> and that works, but adding the group server_admins at domain1.com (as > > seen > > > >> in > > > >> `id lachlan at domain1.com`) doesn't allow all members access. > > > > Since it looks you are using FreeIPA 4.2 you might hit > > https://fedorahosted.org/freeipa/ticket/5573 . But SSSD logs, especially > > the part where the HBAC rules are evaluated would help to understand the > > issue better. > > > > > >> > > > >> Does that sound correct? > > > >> > > > > No, it does not. > > > > HBAC evaluation and external group merging/resolution is done by SSSD. > > > > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs > > > > that can help understanding what happens there. > > > > > > > > What SSSD version do you have on both IPA client and IPA server? > > > > > > > > > > > > 1.13.0 on both client and server. > > > > > > To be honest, we have ratcheted up the logs and it doesn't help that > > much. > > > We just got lots of "unsupported PAM command [249]" > > > > This is unrelated, I assume this happens when trying to store the hashed > > password to the cache. This message is remove in newer releases. > > > > bye, > > Sumit > > > > > > > > Cheers > > > L. > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From christophe.trefois at uni.lu Tue Jul 12 09:25:29 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Tue, 12 Jul 2016 09:25:29 +0000 Subject: [Freeipa-users] Could not delete change record Message-ID: Hi, I have 3 replicas running 4.1 and 3 replicas running 4.2. One of the 4.2 replicas is the new master (CRL) and is at the moment replicating against the old 4.1 cluster (we are in the process of migrating). Upon restart of the 4.2 master, I receive many messages in slapd error log about delete_changerecord as seen below. Is this something to worry about, or will it go away by itself? Thank you for your help, [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15892 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15893 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15894 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15895 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15896 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15897 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15898 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15899 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15900 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15901 (rc: 32) Christophe -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jul 12 11:07:20 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 12 Jul 2016 13:07:20 +0200 Subject: [Freeipa-users] DNS service named in one of our IPA server cannot start In-Reply-To: References: Message-ID: On 9.7.2016 02:47, lm gnid wrote: > Hello, > > In one of our IPA server, named service suddenly cannot start, so I followed the link bellow: > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > > Found some errors like bellow: > > ==> messages <== > > Jul 8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed > > It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me: > > [root at eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM: kvno = 2 > > [root at eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab > > Keytab name: FILE:/etc/named.keytab > > KVNO Timestamp Principal > > ---- ------------------- ------------------------------------------------------ > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM > > > > [root at eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com > > [root at eupreprd-ops-ipa-01 ~] > > > > [root at eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com' > > ...... > > > > For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"? Huh, this is really weird. The only idea I have is that there is some replication issue between the IPA servers so server1 has different key for the DNS service principal than server2. In theory servers to contact can be chosen randomly (in theory) so named might have been unlucky and attempted to contact 'wrong' server while kinit might have been lucky and contacted the 'right' one. Please check things mentioned in http://www.freeipa.org/page/Troubleshooting#Replication_issues I hope it helps! -- Petr^2 Spacek From lkrispen at redhat.com Tue Jul 12 13:42:30 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 12 Jul 2016 15:42:30 +0200 Subject: [Freeipa-users] Could not delete change record In-Reply-To: References: Message-ID: <5784F3C6.2010906@redhat.com> On 07/12/2016 11:25 AM, Christophe TREFOIS wrote: > Hi, > > I have 3 replicas running 4.1 and 3 replicas running 4.2. > > One of the 4.2 replicas is the new master (CRL) and is at the moment > replicating against the old 4.1 cluster (we are in the process of > migrating). > > Upon restart of the 4.2 master, I receive many messages in slapd error > log about delete_changerecord as seen below. > > Is this something to worry about, or will it go away by itself? it should go away, it is a problem of incorrect starting point for retro changelog trimming and it tries to remove already deleted records. > > Thank you for your help, > > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15892 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15893 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15894 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15895 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15896 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15897 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15898 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15899 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15900 (rc: 32) > [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: > could not delete change record 15901 (rc: 32) > > *Christophe* > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Tue Jul 12 13:57:28 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Tue, 12 Jul 2016 13:57:28 +0000 Subject: [Freeipa-users] Could not delete change record In-Reply-To: <5784F3C6.2010906@redhat.com> References: <5784F3C6.2010906@redhat.com> Message-ID: <7BB8BF75-EE6F-40FB-97DE-4A6133F47892@uni.lu> Ok thanks Ludwig! Got scared for a second :) Best, Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 12 Jul 2016, at 15:42, Ludwig Krispenz > wrote: On 07/12/2016 11:25 AM, Christophe TREFOIS wrote: Hi, I have 3 replicas running 4.1 and 3 replicas running 4.2. One of the 4.2 replicas is the new master (CRL) and is at the moment replicating against the old 4.1 cluster (we are in the process of migrating). Upon restart of the 4.2 master, I receive many messages in slapd error log about delete_changerecord as seen below. Is this something to worry about, or will it go away by itself? it should go away, it is a problem of incorrect starting point for retro changelog trimming and it tries to remove already deleted records. Thank you for your help, [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15892 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15893 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15894 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15895 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15896 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15897 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15898 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15899 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15900 (rc: 32) [12/Jul/2016:11:16:43 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 15901 (rc: 32) Christophe -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From joannadelaporte at gmail.com Tue Jul 12 15:13:08 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Tue, 12 Jul 2016 10:13:08 -0500 Subject: [Freeipa-users] Can I migrate group password hashes from NIS? In-Reply-To: <577D76F6.70502@redhat.com> References: <577D76F6.70502@redhat.com> Message-ID: Hi Rob, I'm sorry, I don't know how to list available pre-defined attributes, and I wasn't able to find it just now looking through the help menu. Is the attribute key grpassword, grouppassword, or something else? Thanks! Joanna On Wed, Jul 6, 2016 at 4:24 PM, Rob Crittenden wrote: > Joanna Delaporte wrote: > >> I have successfully migrated some user password hashes from an NIS >> domain. I am wondering if there is a similar method for migrating group >> passwords. I haven't found any discussion or documentation on it. >> > > You do it the same way as users. Note that there are no IPA commands to > manage a group password and group passwords are completely untested (the > attribute is available though). > > rob > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jul 12 15:23:18 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 12 Jul 2016 17:23:18 +0200 Subject: [Freeipa-users] Can I migrate group password hashes from NIS? In-Reply-To: References: <577D76F6.70502@redhat.com> Message-ID: <6823b230-198a-e581-f1fb-569aca58e11d@redhat.com> On 12.7.2016 17:13, Joanna Delaporte wrote: > Hi Rob, > > I'm sorry, I don't know how to list available pre-defined attributes, and I > wasn't able to find it just now looking through the help menu. Is the > attribute key grpassword, grouppassword, or something else? The attribute called 'userpassword' can be added to 'posixGroup' object class as well. I would start with that, but again, it is completely untested. Please report your finding, I'm curious :-) Petr^2 Spacek > On Wed, Jul 6, 2016 at 4:24 PM, Rob Crittenden wrote: > >> Joanna Delaporte wrote: >> >>> I have successfully migrated some user password hashes from an NIS >>> domain. I am wondering if there is a similar method for migrating group >>> passwords. I haven't found any discussion or documentation on it. >>> >> >> You do it the same way as users. Note that there are no IPA commands to >> manage a group password and group passwords are completely untested (the >> attribute is available though). From bahanw042014 at gmail.com Tue Jul 12 17:17:03 2016 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 12 Jul 2016 19:17:03 +0200 Subject: [Freeipa-users] Impossible to restart IPA because of the presence of a file called CS.cfg.bak.saved Message-ID: Hello everyone. I'm using ipa 3.0.0-47 on a RHEL6.6 OS (multi-masters). Today I tried to restart the IPA service with the commande ### service ipa restart ### And I got the following warning concerning the pkica service : ### Since the file '/var/lib/pki-ca/conf/CS.cfg.bak.saved' exists, a previous backup attempt has failed! Backups will be discontinued until this issue has been resolved! ### And then the service get KO. I wanted to know, may you tell me when this file CS.cfg.bak.saved is created ? Also, do you know why the presence of this file prevent the ipa service to start ? Thank you in advance for your help. BR. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Tue Jul 12 18:40:22 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 12 Jul 2016 18:40:22 +0000 (UTC) Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> +freeipa-users list From: pgb205 To: Sumit Bose Sent: Tuesday, July 12, 2016 2:12 PM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust Sumit, thanks for replying So the first issue is my fault, probably from when I was sanitizing logs.? our active directory domain is ad_domain.local, but users would expect to login as userid at ad_domain.com or just userid.for ipa the kerberos realm is IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. ewr-fipa_server used to be old trial server so I am not sure why it's still in the dns lookup results. I'll check this part further. Lastly. only the connection to one of the domain controllers on AD side is open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, a connection to this single, accessible domain controller. Are there any other files where I would needto lock down the connections between ipa->ad so that all traffic goes to specific active directory domain controller? thanks again for replying so quickly. From: Sumit Bose To: pgb205 Cc: Sumit Bose Sent: Tuesday, July 12, 2016 5:37 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > Sumit,? > sssd log files attached with debug=10 in all sections.I have attempted several logins for comparison as well as kinit commands I came across two issues in the logs. First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently FreeIPA cannot resolve those principals correctly. It was planned for IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime please try to work-around suggested at the end of http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to authenticate with user at AD_DOMAIN.COM SSSD looks for a server called ewr-fipa_server.ad_domain.com but cannot find it an return the error code for "Cannot contact any KDC for requested realm". Second there are some issues access AD DCs via LDAP. SSSD tries to connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but both fails. It is not clear from the logs if already the DNS lookup for those fails or if the connection itself runs into a timeout. In the former case you should make sure that the names can be resolved in the IPA server in the latter you can try to increase ldap_network_timeout (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it switches the AD domains to offline. The authentication request is handled offline as well but since there are no cached credentials you get the permission denied error. HTH bye, Sumit > >? ? ? From: Sumit Bose >? To: pgb205 > Cc: "Freeipa-users at redhat.com" >? Sent: Monday, July 11, 2016 3:06 AM >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust >? ? > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > I have successfully established trust and am able to obtain ticket granting ticketkinit user at AD_DOMAIN.COMI can also do kinit admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > I have checked that there are no hbac rules other then the default allow_all rule > > in sssd_ssh.log see > > permission denied (6) error?in sssd_ipa.domain.log file I see > > pam_handler_callback 6 permission_denied > > in sssd_nss.log?Unable to get information from Data ProviderError: 3 Account info lookup failedWill try to return what we have in cache > > in /var/log/secure?received for user user at AD_DOMAIN.COM: 6 (Permission denied)? > > > > I can provided full logs if necessary to diagnose the above problem. > > Yes, full SSSD logs with debug_level=10 would be best. > > > ----------Additionally, I would like to be able to login as user not user at AD_DOMAIN.COM > > My understanding that only thing that I have to change to make this happen is /etc/krb5.conffor line? > > [libdefaults]?default_realm=AD_DOMAN.COM?and then restarting ipa services. > > No, please do not change the default_realm. This is not related to the > issues you are seeing. > > bye, > Sumit > > > However, when I do this I get failure to restart Samba service > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > >? -------------- next part -------------- An HTML attachment was scrubbed... URL: From linuxguru.co at gmail.com Tue Jul 12 19:34:46 2016 From: linuxguru.co at gmail.com (Devin Acosta) Date: Tue, 12 Jul 2016 12:34:46 -0700 Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) Message-ID: I am trying to add a 4th replica to my FreeIPA installation. I am running the latest CentOS 7.2 (full updates) and i have tried multiple times and fails every time in same location. When it fails I remove the replication agreements and try again and keeps failing in same location. [root at ipa03-aws centos]# ipa-replica-install replica-info-ipa03-aws.rsinc.local.gpg WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipa01-aws.rsinc.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at RSINC.LOCAL password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipa03-aws.rsinc.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [25/38]: updating schema [26/38]: setting Auto Member configuration [27/38]: enabling S4U2Proxy delegation [28/38]: importing CA certificates from LDAP [29/38]: initializing group membership [30/38]: adding master entry [31/38]: initializing domain level [32/38]: configuring Posix uid/gid generation [33/38]: adding replication acis [34/38]: enabling compatibility plugin [35/38]: activating sidgen plugin [36/38]: activating extdom plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica Please see attached file for the full log file. Any help would be appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- 2016-07-12T18:50:11Z DEBUG Logging to /var/log/ipareplica-install.log 2016-07-12T18:50:11Z DEBUG ipa-replica-install was invoked with arguments ['replica-info-ipa03-aws.rsinc.local.gpg'] and options: {'no_dns_sshfp': None, 'skip_schema_check': None, 'no_ntp': None, 'setup_kra': None, 'ip_addresses': None, 'mkhomedir': None, 'setup_ca': None, 'no_pkinit': None, 'verbose': False, 'no_forwarders': None, 'ssh_trust_dns': None, 'setup_dns': None, 'no_reverse': None, 'reverse_zones': None, 'unattended': False, 'no_host_dns': None, 'no_sshd': None, 'no_ui_redirect': None, 'forwarders': None, 'skip_conncheck': None, 'no_ssh': None, 'quiet': False, 'no_dnssec_validation': None, 'log_file': None} 2016-07-12T18:50:11Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.17 2016-07-12T18:50:11Z DEBUG Starting external process 2016-07-12T18:50:11Z DEBUG args='/usr/sbin/selinuxenabled' 2016-07-12T18:50:11Z DEBUG Process finished, return code=0 2016-07-12T18:50:11Z DEBUG stdout= 2016-07-12T18:50:11Z DEBUG stderr= 2016-07-12T18:50:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-07-12T18:50:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:50:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:50:11Z DEBUG Starting external process 2016-07-12T18:50:11Z DEBUG args='/usr/sbin/httpd' '-t' '-D' 'DUMP_VHOSTS' 2016-07-12T18:50:11Z DEBUG Process finished, return code=0 2016-07-12T18:50:11Z DEBUG stdout=VirtualHost configuration: *:8443 ipa03-aws.rsinc.local (/etc/httpd/conf.d/nss.conf:83) 2016-07-12T18:50:11Z DEBUG stderr= 2016-07-12T18:50:11Z DEBUG Starting external process 2016-07-12T18:50:11Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service' 2016-07-12T18:50:11Z DEBUG Process finished, return code=0 2016-07-12T18:50:11Z DEBUG stdout=enabled 2016-07-12T18:50:11Z DEBUG stderr= 2016-07-12T18:50:14Z DEBUG Starting external process 2016-07-12T18:50:14Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir' '/tmp/tmp34bUDTipa/ipa-MkvnMP/.gnupg' '--daemon' '/usr/bin/gpg' '--batch' '--homedir' '/tmp/tmp34bUDTipa/ipa-MkvnMP/.gnupg' '--passphrase-fd' '0' '--yes' '--no-tty' '-o' '/tmp/tmp34bUDTipa/files.tar' '-d' 'replica-info-ipa03-aws.rsinc.local.gpg' 2016-07-12T18:50:14Z DEBUG Process finished, return code=0 2016-07-12T18:50:14Z DEBUG Starting external process 2016-07-12T18:50:14Z DEBUG args='tar' 'xf' '/tmp/tmp34bUDTipa/files.tar' '-C' '/tmp/tmp34bUDTipa' 2016-07-12T18:50:14Z DEBUG Process finished, return code=0 2016-07-12T18:50:14Z DEBUG stdout= 2016-07-12T18:50:14Z DEBUG stderr= 2016-07-12T18:50:14Z DEBUG Installing replica file with version 40200 (0 means no version in prepared file). 2016-07-12T18:50:14Z DEBUG Check if ipa03-aws.rsinc.local is a primary hostname for localhost 2016-07-12T18:50:14Z DEBUG Primary hostname for localhost: ipa03-aws.rsinc.local 2016-07-12T18:50:14Z DEBUG Search DNS for ipa03-aws.rsinc.local 2016-07-12T18:50:14Z DEBUG Check if ipa03-aws.rsinc.local is not a CNAME 2016-07-12T18:50:15Z DEBUG Check reverse address of 10.40.0.242 2016-07-12T18:50:15Z DEBUG Found reverse name: ipa03-aws.rsinc.local 2016-07-12T18:50:15Z DEBUG importing all plugin modules in ipalib.plugins... 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.aci 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.automember 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.automount 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.batch 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.caacl 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.cert 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.config 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.delegation 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.dns 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.group 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.host 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.idrange 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.idviews 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.internal 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.migration 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.misc 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.passwd 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.permission 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.ping 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.privilege 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-07-12T18:50:15Z DEBUG Starting external process 2016-07-12T18:50:15Z DEBUG args='klist' '-V' 2016-07-12T18:50:15Z DEBUG Process finished, return code=0 2016-07-12T18:50:15Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-07-12T18:50:15Z DEBUG stderr= 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.role 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.server 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.service 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.session 2016-07-12T18:50:15Z WARNING session memcached servers not running 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.topology 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.trust 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.user 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.vault 2016-07-12T18:50:15Z DEBUG importing plugin module ipalib.plugins.virtual 2016-07-12T18:50:15Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.plugins.join 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-07-12T18:50:15Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.dns 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2016-07-12T18:50:15Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2016-07-12T18:50:15Z DEBUG SessionAuthManager.register: name=jsonserver_session_59557136 2016-07-12T18:50:15Z DEBUG SessionAuthManager.register: name=xmlserver_session_59559568 2016-07-12T18:50:15Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-07-12T18:50:15Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:15Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-07-12T18:50:15Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:15Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:15Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-07-12T18:50:15Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-07-12T18:50:15Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:15Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-07-12T18:50:15Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:15Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-07-12T18:50:15Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:16Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-07-12T18:50:16Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:16Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-07-12T18:50:16Z DEBUG Check if ipa01-aws.rsinc.local is a primary hostname for localhost 2016-07-12T18:50:16Z DEBUG Primary hostname for localhost: ipa01-aws.rsinc.local 2016-07-12T18:50:16Z DEBUG Search DNS for ipa01-aws.rsinc.local 2016-07-12T18:50:21Z DEBUG Check if ipa01-aws.rsinc.local is not a CNAME 2016-07-12T18:50:21Z DEBUG Check reverse address of 10.10.0.88 2016-07-12T18:50:21Z DEBUG Found reverse name: ipa01-aws.rsinc.local 2016-07-12T18:50:21Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-N' '-f' '/tmp/tmprj5lWPipa/pwdfile.txt' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout= 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/pk12util' '-d' '/tmp/tmprj5lWPipa' '-i' '/tmp/tmp34bUDTipa/realm_info/dscert.p12' '-k' '/tmp/tmprj5lWPipa/pwdfile.txt' '-v' '-w' '/dev/stdin' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-L' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u RSINC.LOCAL IPA CA ,, 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-A' '-n' 'CA 1' '-t' ',,' '-a' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout= 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-O' '-n' 'Server-Cert' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout="RSINC.LOCAL IPA CA" [CN=Certificate Authority,O=RSINC.LOCAL] "Server-Cert" [CN=ipa03-aws.rsinc.local,O=RSINC.LOCAL] 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-M' '-n' 'RSINC.LOCAL IPA CA' '-t' 'CT,C,C' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout= 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-O' '-n' 'Server-Cert' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout="RSINC.LOCAL IPA CA" [CN=Certificate Authority,O=RSINC.LOCAL] "Server-Cert" [CN=ipa03-aws.rsinc.local,O=RSINC.LOCAL] 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-L' '-n' 'RSINC.LOCAL IPA CA' '-a' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSU0lO Qy5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDMx MTE2NDMxNVoXDTM2MDMxMTE2NDMxNVowNjEUMBIGA1UECgwLUlNJTkMuTE9DQUwx HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMeuq3fFabQUU4lMQmLEQmN4ryu3bp6ekaBc/+4txdYg AYiSUvZOChcS+6l0XWl/d1u5txR5BIKdADCvO9rcIglQbvn1y6scjbmMqzd4xtCE IN28t1ywPQlWIAGSLw2VDuZ/lmKxmyG00RMxKRvZYuWe/pHZqiza9Rywyt+hjxDK GjghSMGujqYiGXuDviR79q+g7WFQP+8e3D59NmGa8N9iGHaVOBYiNBJIS9raDWmY LvpHY5cBUYrhBGsIIia3l+V2a+9RPXceF7dN5b3xVae5BK2r39ohFtzZw6b1StVS QLeuAexrabVUZEEltzcSUyZo1pZqfsOfyOA5LUWsIsUCAwEAAaOBqTCBpjAfBgNV HSMEGDAWgBS7H+9FH63CaSCM3WK2HMFJFSqzUjAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUux/vRR+twmkgjN1ithzBSRUqs1IwQwYI KwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhMDEtYXdzLnJzaW5j LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAIuAZ1+x3we31MvO ZRB3fg3F8JVALb8iZ8EMSktNIlW71A6UwlwMwJi/1yGBuTAp6GwgZTKETBJ40hqx 1G7DSXaViXmIf8ERRvM/0LEba+Skokt9N+F+kQeOE340/YEMvUR/uiGaaEurA3dm WsoJ0z/X401qHLH7XIyTKubI+TK6unVFwO+p6OUb/n+/ZTBPY5CluwsH67qHxAFf WBsn6fd+2kl10LC6Z/drQ+yPbApn8wo0k1Pvht2w01nFji9z3C6zsk7JG+EJ0l8W LqXaFqEeRJlG+aPmadqEYDWBE8A05+5euoc8z/zLJXZLWSMs4PpKwcuWlWZ+84gV N2jzdNA= -----END CERTIFICATE----- 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmprj5lWPipa' '-L' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u RSINC.LOCAL IPA CA CT,C,C 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-N' '-f' '/tmp/tmpX8lR1Xipa/pwdfile.txt' 2016-07-12T18:50:21Z DEBUG Process finished, return code=0 2016-07-12T18:50:21Z DEBUG stdout= 2016-07-12T18:50:21Z DEBUG stderr= 2016-07-12T18:50:21Z DEBUG Starting external process 2016-07-12T18:50:21Z DEBUG args='/usr/bin/pk12util' '-d' '/tmp/tmpX8lR1Xipa' '-i' '/tmp/tmp34bUDTipa/realm_info/httpcert.p12' '-k' '/tmp/tmpX8lR1Xipa/pwdfile.txt' '-v' '-w' '/dev/stdin' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-L' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u RSINC.LOCAL IPA CA ,, 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-A' '-n' 'CA 1' '-t' ',,' '-a' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout= 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-O' '-n' 'Server-Cert' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout="RSINC.LOCAL IPA CA" [CN=Certificate Authority,O=RSINC.LOCAL] "Server-Cert" [CN=ipa03-aws.rsinc.local,O=RSINC.LOCAL] 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-M' '-n' 'RSINC.LOCAL IPA CA' '-t' 'CT,C,C' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout= 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-O' '-n' 'Server-Cert' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout="RSINC.LOCAL IPA CA" [CN=Certificate Authority,O=RSINC.LOCAL] "Server-Cert" [CN=ipa03-aws.rsinc.local,O=RSINC.LOCAL] 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-L' '-n' 'RSINC.LOCAL IPA CA' '-a' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSU0lO Qy5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDMx MTE2NDMxNVoXDTM2MDMxMTE2NDMxNVowNjEUMBIGA1UECgwLUlNJTkMuTE9DQUwx HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMeuq3fFabQUU4lMQmLEQmN4ryu3bp6ekaBc/+4txdYg AYiSUvZOChcS+6l0XWl/d1u5txR5BIKdADCvO9rcIglQbvn1y6scjbmMqzd4xtCE IN28t1ywPQlWIAGSLw2VDuZ/lmKxmyG00RMxKRvZYuWe/pHZqiza9Rywyt+hjxDK GjghSMGujqYiGXuDviR79q+g7WFQP+8e3D59NmGa8N9iGHaVOBYiNBJIS9raDWmY LvpHY5cBUYrhBGsIIia3l+V2a+9RPXceF7dN5b3xVae5BK2r39ohFtzZw6b1StVS QLeuAexrabVUZEEltzcSUyZo1pZqfsOfyOA5LUWsIsUCAwEAAaOBqTCBpjAfBgNV HSMEGDAWgBS7H+9FH63CaSCM3WK2HMFJFSqzUjAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUux/vRR+twmkgjN1ithzBSRUqs1IwQwYI KwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhMDEtYXdzLnJzaW5j LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAIuAZ1+x3we31MvO ZRB3fg3F8JVALb8iZ8EMSktNIlW71A6UwlwMwJi/1yGBuTAp6GwgZTKETBJ40hqx 1G7DSXaViXmIf8ERRvM/0LEba+Skokt9N+F+kQeOE340/YEMvUR/uiGaaEurA3dm WsoJ0z/X401qHLH7XIyTKubI+TK6unVFwO+p6OUb/n+/ZTBPY5CluwsH67qHxAFf WBsn6fd+2kl10LC6Z/drQ+yPbApn8wo0k1Pvht2w01nFji9z3C6zsk7JG+EJ0l8W LqXaFqEeRJlG+aPmadqEYDWBE8A05+5euoc8z/zLJXZLWSMs4PpKwcuWlWZ+84gV N2jzdNA= -----END CERTIFICATE----- 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG Starting external process 2016-07-12T18:50:22Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmpX8lR1Xipa' '-L' 2016-07-12T18:50:22Z DEBUG Process finished, return code=0 2016-07-12T18:50:22Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u RSINC.LOCAL IPA CA CT,C,C 2016-07-12T18:50:22Z DEBUG stderr= 2016-07-12T18:50:22Z DEBUG importing all plugin modules in ipalib.plugins... 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.aci 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.automember 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.automount 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.batch 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.caacl 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.cert 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.config 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.delegation 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.dns 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.group 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.host 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.idrange 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.idviews 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.internal 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.migration 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.misc 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.passwd 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.permission 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.ping 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.privilege 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.role 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.server 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.service 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.session 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.topology 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.trust 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.user 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.vault 2016-07-12T18:50:22Z DEBUG importing plugin module ipalib.plugins.virtual 2016-07-12T18:50:22Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.plugins.join 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-07-12T18:50:22Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.dns 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2016-07-12T18:50:22Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2016-07-12T18:50:22Z DEBUG SessionAuthManager.register: name=jsonserver_session_90330320 2016-07-12T18:50:22Z DEBUG SessionAuthManager.register: name=xmlserver_session_90332176 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-07-12T18:50:22Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:50:22Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-07-12T18:50:24Z DEBUG Created connection context.ldap2_90329936 2016-07-12T18:50:25Z DEBUG raw: domainlevel_get(version=u'2.156') 2016-07-12T18:50:25Z DEBUG domainlevel_get(version=u'2.156') 2016-07-12T18:50:25Z DEBUG flushing ldaps://ipa01-aws.rsinc.local from SchemaCache 2016-07-12T18:50:25Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa01-aws.rsinc.local conn= 2016-07-12T18:50:29Z DEBUG Check forward/reverse DNS resolution 2016-07-12T18:50:29Z DEBUG Search DNS server ipa01-aws.rsinc.local (['10.10.0.88', '10.10.0.88', '10.10.0.88']) for ipa01-aws.rsinc.local 2016-07-12T18:50:30Z DEBUG Check reverse address 10.10.0.88 (ipa01-aws.rsinc.local) 2016-07-12T18:50:30Z DEBUG Address 10.10.0.88 resolves to: ipa01-aws.rsinc.local.. 2016-07-12T18:50:35Z DEBUG Search DNS server ipa01-aws.rsinc.local (['10.10.0.88', '10.10.0.88', '10.10.0.88']) for ipa03-aws.rsinc.local 2016-07-12T18:50:37Z DEBUG Check reverse address 10.40.0.242 (ipa03-aws.rsinc.local) 2016-07-12T18:50:37Z DEBUG Address 10.40.0.242 resolves to: ipa03-aws.rsinc.local.. 2016-07-12T18:50:37Z DEBUG Destroyed connection context.ldap2_90329936 2016-07-12T18:50:37Z DEBUG Starting external process 2016-07-12T18:50:37Z DEBUG args='/sbin/ip' '-family' 'inet' '-oneline' 'address' 'show' 2016-07-12T18:50:37Z DEBUG Process finished, return code=0 2016-07-12T18:50:37Z DEBUG stdout=1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: eth0 inet 10.40.0.242/24 brd 10.40.0.255 scope global dynamic eth0\ valid_lft 2160sec preferred_lft 2160sec 2016-07-12T18:50:37Z DEBUG stderr= 2016-07-12T18:50:37Z DEBUG Starting external process 2016-07-12T18:50:37Z DEBUG args='/usr/sbin/ipa-replica-conncheck' '--master' 'ipa01-aws.rsinc.local' '--auto-master-check' '--realm' 'RSINC.LOCAL' '--principal' 'admin' '--hostname' 'ipa03-aws.rsinc.local' 2016-07-12T18:51:19Z DEBUG Process finished, return code=0 2016-07-12T18:51:19Z DEBUG group dirsrv exists 2016-07-12T18:51:19Z DEBUG user dirsrv exists 2016-07-12T18:51:25Z DEBUG Created connection context.ldap2_90329936 2016-07-12T18:51:25Z DEBUG flushing ldaps://ipa01-aws.rsinc.local from SchemaCache 2016-07-12T18:51:25Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa01-aws.rsinc.local conn= 2016-07-12T18:51:25Z DEBUG Starting external process 2016-07-12T18:51:25Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service' 2016-07-12T18:51:25Z DEBUG Process finished, return code=0 2016-07-12T18:51:25Z DEBUG stdout=enabled 2016-07-12T18:51:25Z DEBUG stderr= 2016-07-12T18:51:25Z DEBUG Starting external process 2016-07-12T18:51:25Z DEBUG args='/bin/systemctl' 'is-active' 'chronyd.service' 2016-07-12T18:51:25Z DEBUG Process finished, return code=0 2016-07-12T18:51:25Z DEBUG stdout=active 2016-07-12T18:51:25Z DEBUG stderr= 2016-07-12T18:51:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:25Z DEBUG Starting external process 2016-07-12T18:51:25Z DEBUG args='/bin/systemctl' 'stop' 'chronyd.service' 2016-07-12T18:51:25Z DEBUG Process finished, return code=0 2016-07-12T18:51:25Z DEBUG stdout= 2016-07-12T18:51:25Z DEBUG stderr= 2016-07-12T18:51:25Z DEBUG Starting external process 2016-07-12T18:51:25Z DEBUG args='/bin/systemctl' 'disable' 'chronyd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=0 2016-07-12T18:51:26Z DEBUG stdout= 2016-07-12T18:51:26Z DEBUG stderr=Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service. 2016-07-12T18:51:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:26Z DEBUG Configuring NTP daemon (ntpd) 2016-07-12T18:51:26Z DEBUG [1/4]: stopping ntpd 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/bin/systemctl' 'is-active' 'ntpd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=3 2016-07-12T18:51:26Z DEBUG stdout=unknown 2016-07-12T18:51:26Z DEBUG stderr= 2016-07-12T18:51:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/bin/systemctl' 'stop' 'ntpd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=0 2016-07-12T18:51:26Z DEBUG stdout= 2016-07-12T18:51:26Z DEBUG stderr= 2016-07-12T18:51:26Z DEBUG duration: 0 seconds 2016-07-12T18:51:26Z DEBUG [2/4]: writing configuration 2016-07-12T18:51:26Z DEBUG Backing up system configuration file '/etc/ntp.conf' 2016-07-12T18:51:26Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:26Z DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2016-07-12T18:51:26Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:26Z DEBUG duration: 0 seconds 2016-07-12T18:51:26Z DEBUG [3/4]: configuring ntpd to start on boot 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/bin/systemctl' 'is-enabled' 'ntpd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=1 2016-07-12T18:51:26Z DEBUG stdout=disabled 2016-07-12T18:51:26Z DEBUG stderr= 2016-07-12T18:51:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/bin/systemctl' 'enable' 'ntpd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=0 2016-07-12T18:51:26Z DEBUG stdout= 2016-07-12T18:51:26Z DEBUG stderr=Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service. 2016-07-12T18:51:26Z DEBUG duration: 0 seconds 2016-07-12T18:51:26Z DEBUG [4/4]: starting ntpd 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/bin/systemctl' 'start' 'ntpd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=0 2016-07-12T18:51:26Z DEBUG stdout= 2016-07-12T18:51:26Z DEBUG stderr= 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/bin/systemctl' 'is-active' 'ntpd.service' 2016-07-12T18:51:26Z DEBUG Process finished, return code=0 2016-07-12T18:51:26Z DEBUG stdout=active 2016-07-12T18:51:26Z DEBUG stderr= 2016-07-12T18:51:26Z DEBUG duration: 0 seconds 2016-07-12T18:51:26Z DEBUG Done configuring NTP daemon (ntpd). 2016-07-12T18:51:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:26Z DEBUG Configuring directory server (dirsrv). Estimated time: 1 minute 2016-07-12T18:51:26Z DEBUG [1/38]: creating directory server user 2016-07-12T18:51:26Z DEBUG group dirsrv exists 2016-07-12T18:51:26Z DEBUG user dirsrv exists 2016-07-12T18:51:26Z DEBUG duration: 0 seconds 2016-07-12T18:51:26Z DEBUG [2/38]: creating directory server instance 2016-07-12T18:51:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:51:26Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' 2016-07-12T18:51:26Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:26Z DEBUG dn: dc=rsinc,dc=local objectClass: top objectClass: domain objectClass: pilotObject dc: rsinc info: IPA V2.0 2016-07-12T18:51:26Z DEBUG writing inf template 2016-07-12T18:51:26Z DEBUG [General] FullMachineName= ipa03-aws.rsinc.local SuiteSpotUserID= dirsrv SuiteSpotGroup= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= RSINC-LOCAL Suffix= dc=rsinc,dc=local RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif inst_dir= /var/lib/dirsrv/scripts-RSINC-LOCAL 2016-07-12T18:51:26Z DEBUG calling setup-ds.pl 2016-07-12T18:51:26Z DEBUG Starting external process 2016-07-12T18:51:26Z DEBUG args='/usr/sbin/setup-ds.pl' '--silent' '--logfile' '-' '-f' '/tmp/tmpl25s3I' 2016-07-12T18:51:29Z DEBUG Process finished, return code=0 2016-07-12T18:51:29Z DEBUG stdout=[16/07/12:18:51:29] - [Setup] Info Your new DS instance 'RSINC-LOCAL' was successfully created. Your new DS instance 'RSINC-LOCAL' was successfully created. [16/07/12:18:51:29] - [Setup] Success Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2016-07-12T18:51:29Z DEBUG stderr= 2016-07-12T18:51:29Z DEBUG completed creating ds instance 2016-07-12T18:51:29Z DEBUG restarting ds instance 2016-07-12T18:51:29Z DEBUG Starting external process 2016-07-12T18:51:29Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-07-12T18:51:29Z DEBUG Process finished, return code=0 2016-07-12T18:51:29Z DEBUG stdout= 2016-07-12T18:51:29Z DEBUG stderr= 2016-07-12T18:51:29Z DEBUG Starting external process 2016-07-12T18:51:29Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:31Z DEBUG Process finished, return code=0 2016-07-12T18:51:31Z DEBUG stdout= 2016-07-12T18:51:31Z DEBUG stderr= 2016-07-12T18:51:31Z DEBUG Starting external process 2016-07-12T18:51:31Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:31Z DEBUG Process finished, return code=0 2016-07-12T18:51:31Z DEBUG stdout=active 2016-07-12T18:51:31Z DEBUG stderr= 2016-07-12T18:51:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=active 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG done restarting ds instance 2016-07-12T18:51:32Z DEBUG duration: 6 seconds 2016-07-12T18:51:32Z DEBUG [3/38]: adding default schema 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [4/38]: enabling memberof plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/memberof-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpaZTwky' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=replace nsslapd-pluginenabled: on add memberofgroupattr: memberUser add memberofgroupattr: memberHost modifying entry "cn=MemberOf Plugin,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [5/38]: enabling winsync plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/ipa-winsync-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpDGr86O' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa-winsync add nsslapd-pluginpath: libipa_winsync add nsslapd-plugininitfunc: ipa_winsync_plugin_init add nsslapd-pluginDescription: Allows IPA to work with the DS windows sync feature add nsslapd-pluginid: ipa-winsync add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: on add nsslapd-plugin-depends-on-type: database add ipaWinSyncRealmFilter: (objectclass=krbRealmContainer) add ipaWinSyncRealmAttr: cn add ipaWinSyncNewEntryFilter: (cn=ipaConfig) add ipaWinSyncNewUserOCAttr: ipauserobjectclasses add ipaWinSyncUserFlatten: true add ipaWinsyncHomeDirAttr: ipaHomesRootDir add ipaWinsyncLoginShellAttr: ipaDefaultLoginShell add ipaWinSyncDefaultGroupAttr: ipaDefaultPrimaryGroup add ipaWinSyncDefaultGroupFilter: (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) add ipaWinSyncAcctDisable: both add ipaWinSyncForceSync: true add ipaWinSyncUserAttr: uidNumber -1 gidNumber -1 adding new entry "cn=ipa-winsync,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [6/38]: configuring replication version plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/version-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpVufx4k' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA Version Replication add nsslapd-pluginpath: libipa_repl_version add nsslapd-plugininitfunc: repl_version_plugin_init add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: off add nsslapd-pluginid: ipa_repl_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA Replication version plugin add nsslapd-plugin-depends-on-type: database add nsslapd-plugin-depends-on-named: Multimaster Replication Plugin adding new entry "cn=IPA Version Replication,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [7/38]: enabling IPA enrollment plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpvdwlJ_' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp0DGRqi' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_enrollment_extop add nsslapd-pluginpath: libipa_enrollment_extop add nsslapd-plugininitfunc: ipaenrollment_init add nsslapd-plugintype: extendedop add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_enrollment_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Enroll hosts into the IPA domain add nsslapd-plugin-depends-on-type: database add nsslapd-realmTree: dc=rsinc,dc=local adding new entry "cn=ipa_enrollment_extop,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [8/38]: enabling ldapi 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpKj0al8' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpgPe4By' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=replace nsslapd-ldapilisten: on modifying entry "cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [9/38]: configuring uniqueness plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpbK4ppH' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmprrUQX8' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectClass: top nsSlapdPlugin extensibleObject add cn: krbPrincipalName uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: krbPrincipalName add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values add uniqueness-subtrees: dc=rsinc,dc=local add uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,dc=rsinc,dc=local add uniqueness-across-all-subtrees: on adding new entry "cn=krbPrincipalName uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: krbCanonicalName uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: krbCanonicalName add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values add uniqueness-subtrees: dc=rsinc,dc=local add uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,dc=rsinc,dc=local add uniqueness-across-all-subtrees: on adding new entry "cn=krbCanonicalName uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: netgroup uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: cn add uniqueness-subtrees: cn=ng,cn=alt,dc=rsinc,dc=local add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values adding new entry "cn=netgroup uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: ipaUniqueID uniqueness add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: ipaUniqueID add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project add nsslapd-pluginDescription: Enforce unique attribute values add uniqueness-subtrees: dc=rsinc,dc=local add uniqueness-exclude-subtrees: cn=staged users,cn=accounts,cn=provisioning,dc=rsinc,dc=local add uniqueness-across-all-subtrees: on adding new entry "cn=ipaUniqueID uniqueness,cn=plugins,cn=config" modify complete add objectClass: top nsSlapdPlugin extensibleObject add cn: sudorule name uniqueness add nsslapd-pluginDescription: Enforce unique attribute values add nsslapd-pluginPath: libattr-unique-plugin add nsslapd-pluginInitfunc: NSUniqueAttr_Init add nsslapd-pluginType: preoperation add nsslapd-pluginEnabled: on add uniqueness-attribute-name: cn add uniqueness-subtrees: cn=sudorules,cn=sudo,dc=rsinc,dc=local add nsslapd-plugin-depends-on-type: database add nsslapd-pluginId: NSUniqueAttr add nsslapd-pluginVersion: 1.1.0 add nsslapd-pluginVendor: Fedora Project adding new entry "cn=sudorule name uniqueness,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [10/38]: configuring uuid plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/uuid-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp5x4unk' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA UUID add nsslapd-pluginpath: libipa_uuid add nsslapd-plugininitfunc: ipauuid_init add nsslapd-plugintype: preoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipauuid_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA UUID plugin add nsslapd-plugin-depends-on-type: database adding new entry "cn=IPA UUID,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpgvIJlO' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpcigfIB' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top extensibleObject add cn: IPA Unique IDs add ipaUuidAttr: ipaUniqueID add ipaUuidMagicRegen: autogenerate add ipaUuidFilter: (|(objectclass=ipaObject)(objectclass=ipaAssociation)) add ipaUuidScope: dc=rsinc,dc=local add ipaUuidEnforce: TRUE adding new entry "cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config" modify complete add objectclass: top extensibleObject add cn: IPK11 Unique IDs add ipaUuidAttr: ipk11UniqueID add ipaUuidMagicRegen: autogenerate add ipaUuidFilter: (objectclass=ipk11Object) add ipaUuidScope: dc=rsinc,dc=local add ipaUuidEnforce: FALSE adding new entry "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [11/38]: configuring modrdn plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/modrdn-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpL0SCll' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA MODRDN add nsslapd-pluginpath: libipa_modrdn add nsslapd-plugininitfunc: ipamodrdn_init add nsslapd-plugintype: betxnpostoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipamodrdn_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA MODRDN plugin add nsslapd-plugin-depends-on-type: database add nsslapd-pluginPrecedence: 60 adding new entry "cn=IPA MODRDN,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmp7a9Iy2' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpYqIrA8' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top extensibleObject add cn: Kerberos Principal Name add ipaModRDNsourceAttr: uid add ipaModRDNtargetAttr: krbPrincipalName add ipaModRDNsuffix: @RSINC.LOCAL add ipaModRDNfilter: (&(objectclass=posixaccount)(objectclass=krbPrincipalAux)) add ipaModRDNscope: dc=rsinc,dc=local adding new entry "cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [12/38]: configuring DNS plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/ipa-dns-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpYTbMOB' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsslapdPlugin extensibleObject add cn: IPA DNS add nsslapd-plugindescription: IPA DNS support plugin add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_dns add nsslapd-plugininitfunc: ipadns_init add nsslapd-pluginpath: libipa_dns.so add nsslapd-plugintype: preoperation add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-pluginversion: 1.0 add nsslapd-plugin-depends-on-type: database adding new entry "cn=IPA DNS,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [13/38]: enabling entryUSN plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/entryusn.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpQNVKqh' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=replace nsslapd-entryusn-global: on modifying entry "cn=config" modify complete replace nsslapd-entryusn-import-initval: next modifying entry "cn=config" modify complete replace nsslapd-pluginenabled: on modifying entry "cn=USN,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [14/38]: configuring lockout plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/lockout-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpuM9MKr' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA Lockout add nsslapd-pluginpath: libipa_lockout add nsslapd-plugininitfunc: ipalockout_init add nsslapd-plugintype: object add nsslapd-pluginenabled: on add nsslapd-pluginid: ipalockout_version add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA Lockout plugin add nsslapd-plugin-depends-on-type: database adding new entry "cn=IPA Lockout,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [15/38]: creating indices 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/indices.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmptbeIHR' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=add objectClass: top nsIndex add cn: krbPrincipalName add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: ou add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: carLicense add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: title add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: manager add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: secretary add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: displayname add nsSystemIndex: false add nsIndexType: eq sub adding new entry "cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add nsIndexType: sub modifying entry "cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: uidnumber add nsSystemIndex: false add nsIndexType: eq add nsMatchingRule: integerOrderingMatch adding new entry "cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add objectClass: top nsIndex add cn: gidnumber add nsSystemIndex: false add nsIndexType: eq add nsMatchingRule: integerOrderingMatch adding new entry "cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete replace nsIndexType: eq pres modifying entry "cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete replace nsIndexType: eq pres modifying entry "cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add ObjectClass: top nsIndex add cn: fqdn add nsSystemIndex: false add nsIndexType: eq pres adding new entry "cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add ObjectClass: top nsIndex add cn: macAddress add nsSystemIndex: false add nsIndexType: eq pres adding new entry "cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberHost add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberUser add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: sourcehost add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberservice add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: managedby add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberallowcmd add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: memberdenycmd add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipasudorunas add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipasudorunasgroup add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: automountkey add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipakrbprincipalalias add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipauniqueid add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq adding new entry "cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipaMemberCa add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: ipaMemberCertProfile add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres sub adding new entry "cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add cn: userCertificate add ObjectClass: top nsIndex add nsSystemIndex: false add nsIndexType: eq pres adding new entry "cn=userCertificate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [16/38]: enabling referential integrity plugin 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/referint-conf.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpQ3LiVG' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=replace nsslapd-pluginenabled: on modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" modify complete 2016-07-12T18:51:32Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:32Z DEBUG duration: 0 seconds 2016-07-12T18:51:32Z DEBUG [17/38]: configuring ssl for ds instance 2016-07-12T18:51:32Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-N' '-f' '/etc/dirsrv/slapd-RSINC-LOCAL//pwdfile.txt' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout= 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/pk12util' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-i' '/tmp/tmp34bUDTipa/realm_info/dscert.p12' '-k' '/etc/dirsrv/slapd-RSINC-LOCAL//pwdfile.txt' '-v' '-w' '/dev/stdin' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-L' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u RSINC.LOCAL IPA CA ,, 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-A' '-n' 'CA 1' '-t' ',,' '-a' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout= 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-O' '-n' 'Server-Cert' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout="RSINC.LOCAL IPA CA" [CN=Certificate Authority,O=RSINC.LOCAL] "Server-Cert" [CN=ipa03-aws.rsinc.local,O=RSINC.LOCAL] 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-M' '-n' 'RSINC.LOCAL IPA CA' '-t' 'CT,C,C' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout= 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-O' '-n' 'Server-Cert' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout="RSINC.LOCAL IPA CA" [CN=Certificate Authority,O=RSINC.LOCAL] "Server-Cert" [CN=ipa03-aws.rsinc.local,O=RSINC.LOCAL] 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-L' '-n' 'RSINC.LOCAL IPA CA' '-a' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSU0lO Qy5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDMx MTE2NDMxNVoXDTM2MDMxMTE2NDMxNVowNjEUMBIGA1UECgwLUlNJTkMuTE9DQUwx HjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMeuq3fFabQUU4lMQmLEQmN4ryu3bp6ekaBc/+4txdYg AYiSUvZOChcS+6l0XWl/d1u5txR5BIKdADCvO9rcIglQbvn1y6scjbmMqzd4xtCE IN28t1ywPQlWIAGSLw2VDuZ/lmKxmyG00RMxKRvZYuWe/pHZqiza9Rywyt+hjxDK GjghSMGujqYiGXuDviR79q+g7WFQP+8e3D59NmGa8N9iGHaVOBYiNBJIS9raDWmY LvpHY5cBUYrhBGsIIia3l+V2a+9RPXceF7dN5b3xVae5BK2r39ohFtzZw6b1StVS QLeuAexrabVUZEEltzcSUyZo1pZqfsOfyOA5LUWsIsUCAwEAAaOBqTCBpjAfBgNV HSMEGDAWgBS7H+9FH63CaSCM3WK2HMFJFSqzUjAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUux/vRR+twmkgjN1ithzBSRUqs1IwQwYI KwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vaXBhMDEtYXdzLnJzaW5j LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAIuAZ1+x3we31MvO ZRB3fg3F8JVALb8iZ8EMSktNIlW71A6UwlwMwJi/1yGBuTAp6GwgZTKETBJ40hqx 1G7DSXaViXmIf8ERRvM/0LEba+Skokt9N+F+kQeOE340/YEMvUR/uiGaaEurA3dm WsoJ0z/X401qHLH7XIyTKubI+TK6unVFwO+p6OUb/n+/ZTBPY5CluwsH67qHxAFf WBsn6fd+2kl10LC6Z/drQ+yPbApn8wo0k1Pvht2w01nFji9z3C6zsk7JG+EJ0l8W LqXaFqEeRJlG+aPmadqEYDWBE8A05+5euoc8z/zLJXZLWSMs4PpKwcuWlWZ+84gV N2jzdNA= -----END CERTIFICATE----- 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-L' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u RSINC.LOCAL IPA CA CT,C,C 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-L' '-n' 'Server-Cert' '-a' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIEEzCCAvugAwIBAgIBOzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSU0lO Qy5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcx MjE4NDczMloXDTE4MDcxMzE4NDczMlowNjEUMBIGA1UECgwLUlNJTkMuTE9DQUwx HjAcBgNVBAMMFWlwYTAzLWF3cy5yc2luYy5sb2NhbDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAL71KZYz8sy6erF5VJH0HrZuzikcrEl/4y8MdqzV8NQ2 yRZDlDzLqcj5hs+RafbKFFQyksP1eO5YkeTllATMetFD8vqqFVIpunlr/u8dbTlM /vlKOZJ0wvlPjc5QeuGtFVZ/z5vqQKKtFHrFziglx8yMAH1C6R4afFhyMqnQigzT WHWdc3BLQy2xVyadt0oode1PnWu2diwwV3wEbtja4TA9e8lPKdMWHKIpd2l9+iso iXP+IvuTLJkMwXKEFjUEgNFetPEbOf+EzXtd6iU7BGKxDplxyvkOf3sG5psR1LJa Hd3Cp1DHf06XceqvzQbIbVPoL0qk560tz0rch30/Ek8CAwEAAaOCASowggEmMB8G A1UdIwQYMBaAFLsf70UfrcJpIIzdYrYcwUkVKrNSMD0GCCsGAQUFBwEBBDEwLzAt BggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5yc2luYy5sb2NhbC9jYS9vY3NwMA4G A1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYD VR0fBG8wbTBroDOgMYYvaHR0cDovL2lwYS1jYS5yc2luYy5sb2NhbC9pcGEvY3Js L01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVD ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFLkqG3ftJkzasSZs+3Xrbu/0 967tMA0GCSqGSIb3DQEBCwUAA4IBAQC6C+6HRuRVotLiS6A1dV/5UQmVohfcIg6P bI7KSpDSLvcVJvA0rxr2QGfUvpgqa4I62mfxe7tefqs+QLwGLUpdG4OYGmOkiDzi PUuj7BFI9qRVqGrfH+pcsorY5Zz7Z2JjY3v0TSiPImUIw/s4R6izHT7iUCOhVBPf ZOeGRKbCihWygPeoz/0m0+P3AIT3U6MV/819Y3woLvyJC/OImkZZVI2HcfU/07Yh TsHUZsavZX4xfwk6pdKYwg4yw5KGUCWL/WR1QPdEr/QDQeo75jQmaS3fIBxQpCva 2YPxLYfcIdP30GCl9dEg4SE3b19L+6Nuv0rbMai4WtPNr6U/jjWM -----END CERTIFICATE----- 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:32Z DEBUG Starting external process 2016-07-12T18:51:32Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-L' '-n' 'Server-Cert' '-a' 2016-07-12T18:51:32Z DEBUG Process finished, return code=0 2016-07-12T18:51:32Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIEEzCCAvugAwIBAgIBOzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSU0lO Qy5MT0NBTDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcx MjE4NDczMloXDTE4MDcxMzE4NDczMlowNjEUMBIGA1UECgwLUlNJTkMuTE9DQUwx HjAcBgNVBAMMFWlwYTAzLWF3cy5yc2luYy5sb2NhbDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAL71KZYz8sy6erF5VJH0HrZuzikcrEl/4y8MdqzV8NQ2 yRZDlDzLqcj5hs+RafbKFFQyksP1eO5YkeTllATMetFD8vqqFVIpunlr/u8dbTlM /vlKOZJ0wvlPjc5QeuGtFVZ/z5vqQKKtFHrFziglx8yMAH1C6R4afFhyMqnQigzT WHWdc3BLQy2xVyadt0oode1PnWu2diwwV3wEbtja4TA9e8lPKdMWHKIpd2l9+iso iXP+IvuTLJkMwXKEFjUEgNFetPEbOf+EzXtd6iU7BGKxDplxyvkOf3sG5psR1LJa Hd3Cp1DHf06XceqvzQbIbVPoL0qk560tz0rch30/Ek8CAwEAAaOCASowggEmMB8G A1UdIwQYMBaAFLsf70UfrcJpIIzdYrYcwUkVKrNSMD0GCCsGAQUFBwEBBDEwLzAt BggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5yc2luYy5sb2NhbC9jYS9vY3NwMA4G A1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYD VR0fBG8wbTBroDOgMYYvaHR0cDovL2lwYS1jYS5yc2luYy5sb2NhbC9pcGEvY3Js L01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVD ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFLkqG3ftJkzasSZs+3Xrbu/0 967tMA0GCSqGSIb3DQEBCwUAA4IBAQC6C+6HRuRVotLiS6A1dV/5UQmVohfcIg6P bI7KSpDSLvcVJvA0rxr2QGfUvpgqa4I62mfxe7tefqs+QLwGLUpdG4OYGmOkiDzi PUuj7BFI9qRVqGrfH+pcsorY5Zz7Z2JjY3v0TSiPImUIw/s4R6izHT7iUCOhVBPf ZOeGRKbCihWygPeoz/0m0+P3AIT3U6MV/819Y3woLvyJC/OImkZZVI2HcfU/07Yh TsHUZsavZX4xfwk6pdKYwg4yw5KGUCWL/WR1QPdEr/QDQeo75jQmaS3fIBxQpCva 2YPxLYfcIdP30GCl9dEg4SE3b19L+6Nuv0rbMai4WtPNr6U/jjWM -----END CERTIFICATE----- 2016-07-12T18:51:32Z DEBUG stderr= 2016-07-12T18:51:33Z DEBUG flushing ldap://ipa03-aws.rsinc.local:389 from SchemaCache 2016-07-12T18:51:33Z DEBUG retrieving schema for SchemaCache url=ldap://ipa03-aws.rsinc.local:389 conn= 2016-07-12T18:51:33Z DEBUG duration: 0 seconds 2016-07-12T18:51:33Z DEBUG [18/38]: configuring certmap.conf 2016-07-12T18:51:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-07-12T18:51:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-07-12T18:51:33Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-07-12T18:51:33Z DEBUG duration: 0 seconds 2016-07-12T18:51:33Z DEBUG [19/38]: configure autobind for root 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/root-autobind.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp6rzPZX' 2016-07-12T18:51:33Z DEBUG Process finished, return code=0 2016-07-12T18:51:33Z DEBUG stdout=add objectClass: extensibleObject top add cn: root-autobind add uidNumber: 0 add gidNumber: 0 adding new entry "cn=root-autobind,cn=config" modify complete replace nsslapd-ldapiautobind: on modifying entry "cn=config" modify complete replace nsslapd-ldapimaptoentries: on modifying entry "cn=config" modify complete 2016-07-12T18:51:33Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:33Z DEBUG duration: 0 seconds 2016-07-12T18:51:33Z DEBUG [20/38]: configure new location for managed entries 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpcTTK6a' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpA3Dzpt' 2016-07-12T18:51:33Z DEBUG Process finished, return code=0 2016-07-12T18:51:33Z DEBUG stdout=add nsslapd-pluginConfigArea: cn=Definitions,cn=Managed Entries,cn=etc,dc=rsinc,dc=local modifying entry "cn=Managed Entries,cn=plugins,cn=config" modify complete 2016-07-12T18:51:33Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:33Z DEBUG duration: 0 seconds 2016-07-12T18:51:33Z DEBUG [21/38]: configure dirsrv ccache 2016-07-12T18:51:33Z DEBUG Backing up system configuration file '/etc/sysconfig/dirsrv' 2016-07-12T18:51:33Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/usr/sbin/selinuxenabled' 2016-07-12T18:51:33Z DEBUG Process finished, return code=0 2016-07-12T18:51:33Z DEBUG stdout= 2016-07-12T18:51:33Z DEBUG stderr= 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/dirsrv' 2016-07-12T18:51:33Z DEBUG Process finished, return code=0 2016-07-12T18:51:33Z DEBUG stdout= 2016-07-12T18:51:33Z DEBUG stderr= 2016-07-12T18:51:33Z DEBUG duration: 0 seconds 2016-07-12T18:51:33Z DEBUG [22/38]: enable SASL mapping fallback 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpiDf5XR' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpU_gcYB' 2016-07-12T18:51:33Z DEBUG Process finished, return code=0 2016-07-12T18:51:33Z DEBUG stdout=replace nsslapd-sasl-mapping-fallback: on modifying entry "cn=config" modify complete 2016-07-12T18:51:33Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:33Z DEBUG duration: 0 seconds 2016-07-12T18:51:33Z DEBUG [23/38]: restarting directory server 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-07-12T18:51:33Z DEBUG Process finished, return code=0 2016-07-12T18:51:33Z DEBUG stdout= 2016-07-12T18:51:33Z DEBUG stderr= 2016-07-12T18:51:33Z DEBUG Starting external process 2016-07-12T18:51:33Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:34Z DEBUG Process finished, return code=0 2016-07-12T18:51:34Z DEBUG stdout= 2016-07-12T18:51:34Z DEBUG stderr= 2016-07-12T18:51:34Z DEBUG Starting external process 2016-07-12T18:51:34Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:34Z DEBUG Process finished, return code=0 2016-07-12T18:51:34Z DEBUG stdout=active 2016-07-12T18:51:34Z DEBUG stderr= 2016-07-12T18:51:34Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-07-12T18:51:35Z DEBUG Starting external process 2016-07-12T18:51:35Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:35Z DEBUG Process finished, return code=0 2016-07-12T18:51:35Z DEBUG stdout=active 2016-07-12T18:51:35Z DEBUG stderr= 2016-07-12T18:51:35Z DEBUG duration: 2 seconds 2016-07-12T18:51:35Z DEBUG [24/38]: setting up initial replication 2016-07-12T18:51:35Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket from SchemaCache 2016-07-12T18:51:35Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket conn= 2016-07-12T18:51:35Z DEBUG Starting external process 2016-07-12T18:51:35Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-07-12T18:51:35Z DEBUG Process finished, return code=0 2016-07-12T18:51:35Z DEBUG stdout= 2016-07-12T18:51:35Z DEBUG stderr= 2016-07-12T18:51:35Z DEBUG Starting external process 2016-07-12T18:51:35Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:36Z DEBUG Process finished, return code=0 2016-07-12T18:51:36Z DEBUG stdout= 2016-07-12T18:51:36Z DEBUG stderr= 2016-07-12T18:51:36Z DEBUG Starting external process 2016-07-12T18:51:36Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:51:36Z DEBUG Process finished, return code=0 2016-07-12T18:51:36Z DEBUG stdout=active 2016-07-12T18:51:36Z DEBUG stderr= 2016-07-12T18:51:36Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-07-12T18:51:38Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2016-07-12T18:51:38Z DEBUG flushing ldap://ipa01-aws.rsinc.local:389 from SchemaCache 2016-07-12T18:51:38Z DEBUG retrieving schema for SchemaCache url=ldap://ipa01-aws.rsinc.local:389 conn= 2016-07-12T18:51:39Z DEBUG Successfully updated nsDS5ReplicaId. 2016-07-12T18:51:39Z DEBUG flushing ldaps://ipa03-aws.rsinc.local:636 from SchemaCache 2016-07-12T18:51:39Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa03-aws.rsinc.local:636 conn= 2016-07-12T18:51:49Z DEBUG duration: 14 seconds 2016-07-12T18:51:49Z DEBUG [25/38]: updating schema 2016-07-12T18:51:49Z DEBUG Starting external process 2016-07-12T18:51:49Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/usr/share/ipa/schema-update.ldif' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpWvrmTP' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout=add objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsslapd-pluginPath $ nsslapd-pluginInitFunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVersion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnabled ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORIGIN 'Netscape Directory Server' ) ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' ) modifying entry "cn=schema" modify complete 2016-07-12T18:51:50Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [26/38]: setting Auto Member configuration 2016-07-12T18:51:50Z DEBUG Starting external process 2016-07-12T18:51:50Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmp1eCPZ_' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpVqf5cB' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout=add nsslapd-pluginConfigArea: cn=automember,cn=etc,dc=rsinc,dc=local modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" modify complete 2016-07-12T18:51:50Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [27/38]: enabling S4U2Proxy delegation 2016-07-12T18:51:50Z DEBUG Starting external process 2016-07-12T18:51:50Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpY17efF' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp8IK3SH' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout=add memberPrincipal: HTTP/ipa03-aws.rsinc.local at RSINC.LOCAL modifying entry "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=rsinc,dc=local" modify complete add memberPrincipal: ldap/ipa03-aws.rsinc.local at RSINC.LOCAL modifying entry "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=rsinc,dc=local" modify complete 2016-07-12T18:51:50Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [28/38]: importing CA certificates from LDAP 2016-07-12T18:51:50Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:51:50Z DEBUG flushing ldap://ipa03-aws.rsinc.local:389 from SchemaCache 2016-07-12T18:51:50Z DEBUG retrieving schema for SchemaCache url=ldap://ipa03-aws.rsinc.local:389 conn= 2016-07-12T18:51:50Z DEBUG Starting external process 2016-07-12T18:51:50Z DEBUG args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-RSINC-LOCAL/' '-A' '-n' 'RSINC.LOCAL IPA CA' '-t' 'CT,C,C' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout= 2016-07-12T18:51:50Z DEBUG stderr= 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [29/38]: initializing group membership 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [30/38]: adding master entry 2016-07-12T18:51:50Z DEBUG Starting external process 2016-07-12T18:51:50Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpxaLDRH' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpm2TMAE' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout=add objectclass: top nsContainer ipaReplTopoManagedServer ipaConfigObject ipaSupportedDomainLevelConfig add cn: ipa03-aws.rsinc.local add ipaReplTopoManagedSuffix: dc=rsinc,dc=local add ipaMinDomainLevel: 0 add ipaMaxDomainLevel: 0 adding new entry "cn=ipa03-aws.rsinc.local,cn=masters,cn=ipa,cn=etc,dc=rsinc,dc=local" modify complete 2016-07-12T18:51:50Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [31/38]: initializing domain level 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [32/38]: configuring Posix uid/gid generation 2016-07-12T18:51:50Z DEBUG Starting external process 2016-07-12T18:51:50Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpIYMDRE' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmp2EyXWe' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout=add objectclass: top extensibleObject add cn: Posix IDs add dnaType: uidNumber gidNumber add dnaNextValue: 1101 add dnaMaxValue: 1100 add dnaMagicRegen: -1 add dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) add dnaScope: dc=rsinc,dc=local add dnaThreshold: 500 add dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=rsinc,dc=local adding new entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete 2016-07-12T18:51:50Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [33/38]: adding replication acis 2016-07-12T18:51:50Z DEBUG Starting external process 2016-07-12T18:51:50Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpfjnnUg' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmporl0Uz' 2016-07-12T18:51:50Z DEBUG Process finished, return code=0 2016-07-12T18:51:50Z DEBUG stdout=add aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=rsinc,dc=local";) modifying entry "cn="dc=rsinc,dc=local",cn=mapping tree,cn=config" modify complete add aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=rsinc,dc=local";) modifying entry "cn="dc=rsinc,dc=local",cn=mapping tree,cn=config" modify complete add aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=rsinc,dc=local";) modifying entry "cn="dc=rsinc,dc=local",cn=mapping tree,cn=config" modify complete add aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=rsinc,dc=local";) modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete add aci: (targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=rsinc,dc=local";) modifying entry "cn=userRoot,cn=ldbm database,cn=plugins,cn=config" modify complete add aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=rsinc,dc=local";) modifying entry "cn=tasks,cn=config" modify complete 2016-07-12T18:51:50Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:50Z DEBUG duration: 0 seconds 2016-07-12T18:51:50Z DEBUG [34/38]: enabling compatibility plugin 2016-07-12T18:51:50Z DEBUG importing all plugin modules in ipalib.plugins... 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.aci 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.automember 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.automount 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.batch 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.caacl 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.cert 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.config 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.delegation 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.dns 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.group 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.host 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.idrange 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.idviews 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.internal 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.migration 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.misc 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.passwd 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.permission 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.ping 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.privilege 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.role 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.server 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.service 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.session 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.topology 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.trust 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.user 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.vault 2016-07-12T18:51:50Z DEBUG importing plugin module ipalib.plugins.virtual 2016-07-12T18:51:50Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.plugins.join 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-07-12T18:51:50Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.dns 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2016-07-12T18:51:50Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2016-07-12T18:51:50Z DEBUG SessionAuthManager.register: name=jsonserver_session_146012624 2016-07-12T18:51:50Z DEBUG SessionAuthManager.register: name=xmlserver_session_146030864 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-07-12T18:51:51Z DEBUG session_auth_duration: 0:20:00 2016-07-12T18:51:51Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-07-12T18:51:52Z DEBUG Created connection context.ldap2_146012240 2016-07-12T18:51:52Z DEBUG Destroyed connection context.ldap2_146012240 2016-07-12T18:51:52Z DEBUG Created connection context.ldap2_146012240 2016-07-12T18:51:52Z DEBUG Parsing update file '/usr/share/ipa/schema_compat.uldif' 2016-07-12T18:51:52Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket from SchemaCache 2016-07-12T18:51:52Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket conn= 2016-07-12T18:51:52Z DEBUG New entry: cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG nsslapd-pluginid: 2016-07-12T18:51:52Z DEBUG schema-compat-plugin 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG Schema Compatibility 2016-07-12T18:51:52Z DEBUG nsslapd-pluginbetxn: 2016-07-12T18:51:52Z DEBUG on 2016-07-12T18:51:52Z DEBUG objectclass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG nsSlapdPlugin 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG nsslapd-plugindescription: 2016-07-12T18:51:52Z DEBUG Schema Compatibility Plugin 2016-07-12T18:51:52Z DEBUG nsslapd-pluginenabled: 2016-07-12T18:51:52Z DEBUG on 2016-07-12T18:51:52Z DEBUG nsslapd-pluginpath: 2016-07-12T18:51:52Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so 2016-07-12T18:51:52Z DEBUG nsslapd-pluginversion: 2016-07-12T18:51:52Z DEBUG 0.8 2016-07-12T18:51:52Z DEBUG nsslapd-pluginvendor: 2016-07-12T18:51:52Z DEBUG redhat.com 2016-07-12T18:51:52Z DEBUG nsslapd-pluginprecedence: 2016-07-12T18:51:52Z DEBUG 49 2016-07-12T18:51:52Z DEBUG nsslapd-plugintype: 2016-07-12T18:51:52Z DEBUG object 2016-07-12T18:51:52Z DEBUG nsslapd-plugininitfunc: 2016-07-12T18:51:52Z DEBUG schema_compat_plugin_init 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG nsslapd-pluginid: 2016-07-12T18:51:52Z DEBUG schema-compat-plugin 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG Schema Compatibility 2016-07-12T18:51:52Z DEBUG nsslapd-pluginbetxn: 2016-07-12T18:51:52Z DEBUG on 2016-07-12T18:51:52Z DEBUG objectclass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG nsSlapdPlugin 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG nsslapd-plugindescription: 2016-07-12T18:51:52Z DEBUG Schema Compatibility Plugin 2016-07-12T18:51:52Z DEBUG nsslapd-pluginenabled: 2016-07-12T18:51:52Z DEBUG on 2016-07-12T18:51:52Z DEBUG nsslapd-pluginpath: 2016-07-12T18:51:52Z DEBUG /usr/lib64/dirsrv/plugins/schemacompat-plugin.so 2016-07-12T18:51:52Z DEBUG nsslapd-pluginversion: 2016-07-12T18:51:52Z DEBUG 0.8 2016-07-12T18:51:52Z DEBUG nsslapd-pluginvendor: 2016-07-12T18:51:52Z DEBUG redhat.com 2016-07-12T18:51:52Z DEBUG nsslapd-pluginprecedence: 2016-07-12T18:51:52Z DEBUG 49 2016-07-12T18:51:52Z DEBUG nsslapd-plugintype: 2016-07-12T18:51:52Z DEBUG object 2016-07-12T18:51:52Z DEBUG nsslapd-plugininitfunc: 2016-07-12T18:51:52Z DEBUG schema_compat_plugin_init 2016-07-12T18:51:52Z DEBUG New entry: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG cn=%{cn} 2016-07-12T18:51:52Z DEBUG objectclass=posixAccount 2016-07-12T18:51:52Z DEBUG gidNumber=%{gidNumber} 2016-07-12T18:51:52Z DEBUG gecos=%{cn} 2016-07-12T18:51:52Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-07-12T18:51:52Z DEBUG uidNumber=%{uidNumber} 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:rsinc.local:%{ipauniqueid}","") 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG loginShell=%{loginShell} 2016-07-12T18:51:52Z DEBUG homeDirectory=%{homeDirectory} 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG users 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG objectclass=posixAccount 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=users 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG uid=%{uid} 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=users, cn=accounts, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG cn=%{cn} 2016-07-12T18:51:52Z DEBUG objectclass=posixAccount 2016-07-12T18:51:52Z DEBUG gidNumber=%{gidNumber} 2016-07-12T18:51:52Z DEBUG gecos=%{cn} 2016-07-12T18:51:52Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-07-12T18:51:52Z DEBUG uidNumber=%{uidNumber} 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:rsinc.local:%{ipauniqueid}","") 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG loginShell=%{loginShell} 2016-07-12T18:51:52Z DEBUG homeDirectory=%{homeDirectory} 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG users 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG objectclass=posixAccount 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=users 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG uid=%{uid} 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=users, cn=accounts, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG New entry: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-07-12T18:51:52Z DEBUG gidNumber=%{gidNumber} 2016-07-12T18:51:52Z DEBUG objectclass=posixGroup 2016-07-12T18:51:52Z DEBUG memberUid=%{memberUid} 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:rsinc.local:%{ipauniqueid}","") 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG memberUid=%deref_r("member","uid") 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG groups 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG objectclass=posixGroup 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=groups 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG cn=%{cn} 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=groups, cn=accounts, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2016-07-12T18:51:52Z DEBUG gidNumber=%{gidNumber} 2016-07-12T18:51:52Z DEBUG objectclass=posixGroup 2016-07-12T18:51:52Z DEBUG memberUid=%{memberUid} 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:rsinc.local:%{ipauniqueid}","") 2016-07-12T18:51:52Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2016-07-12T18:51:52Z DEBUG memberUid=%deref_r("member","uid") 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG groups 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG objectclass=posixGroup 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=groups 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG cn=%{cn} 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=groups, cn=accounts, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG New entry: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG add: 'top' to objectClass, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['top'] 2016-07-12T18:51:52Z DEBUG add: 'extensibleObject' to objectClass, current value ['top'] 2016-07-12T18:51:52Z DEBUG add: updated value ['top', 'extensibleObject'] 2016-07-12T18:51:52Z DEBUG add: 'ng' to cn, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['ng'] 2016-07-12T18:51:52Z DEBUG add: 'cn=compat, dc=rsinc,dc=local' to schema-compat-container-group, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['cn=compat, dc=rsinc,dc=local'] 2016-07-12T18:51:52Z DEBUG add: 'cn=ng' to schema-compat-container-rdn, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['cn=ng'] 2016-07-12T18:51:52Z DEBUG add: 'yes' to schema-compat-check-access, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['yes'] 2016-07-12T18:51:52Z DEBUG add: 'cn=ng, cn=alt, dc=rsinc,dc=local' to schema-compat-search-base, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['cn=ng, cn=alt, dc=rsinc,dc=local'] 2016-07-12T18:51:52Z DEBUG add: '(objectclass=ipaNisNetgroup)' to schema-compat-search-filter, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['(objectclass=ipaNisNetgroup)'] 2016-07-12T18:51:52Z DEBUG add: 'cn=%{cn}' to schema-compat-entry-rdn, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['cn=%{cn}'] 2016-07-12T18:51:52Z DEBUG add: 'objectclass=nisNetgroup' to schema-compat-entry-attribute, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['objectclass=nisNetgroup'] 2016-07-12T18:51:52Z DEBUG add: 'memberNisNetgroup=%deref_r("member","cn")' to schema-compat-entry-attribute, current value ['objectclass=nisNetgroup'] 2016-07-12T18:51:52Z DEBUG add: updated value ['objectclass=nisNetgroup', 'memberNisNetgroup=%deref_r("member","cn")'] 2016-07-12T18:51:52Z DEBUG add: 'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})' to schema-compat-entry-attribute, current value ['memberNisNetgroup=%deref_r("member","cn")', 'objectclass=nisNetgroup'] 2016-07-12T18:51:52Z DEBUG add: updated value ['memberNisNetgroup=%deref_r("member","cn")', 'objectclass=nisNetgroup', 'nisNetgroupTriple=(%link("%ifeq(\\"hostCategory\\",\\"all\\",\\"\\",\\"%collect(\\\\\\"%{externalHost}\\\\\\",\\\\\\"%deref(\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\")\\\\\\")\\")","-",",","%ifeq(\\"userCategory\\",\\"all\\",\\"\\",\\"%collect(\\\\\\"%deref(\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\",\\\\\\"%deref_r(\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\",\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\")\\\\\\")\\")","-"),%{nisDomainName:-})'] 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG memberNisNetgroup=%deref_r("member","cn") 2016-07-12T18:51:52Z DEBUG objectclass=nisNetgroup 2016-07-12T18:51:52Z DEBUG nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-}) 2016-07-12T18:51:52Z DEBUG schema-compat-check-access: 2016-07-12T18:51:52Z DEBUG yes 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG ng 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG (objectclass=ipaNisNetgroup) 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=ng 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG cn=%{cn} 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=ng, cn=alt, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG New entry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG add: 'top' to objectClass, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['top'] 2016-07-12T18:51:52Z DEBUG add: 'extensibleObject' to objectClass, current value ['top'] 2016-07-12T18:51:52Z DEBUG add: updated value ['top', 'extensibleObject'] 2016-07-12T18:51:52Z DEBUG add: 'sudoers' to cn, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoers'] 2016-07-12T18:51:52Z DEBUG add: 'ou=SUDOers, dc=rsinc,dc=local' to schema-compat-container-group, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['ou=SUDOers, dc=rsinc,dc=local'] 2016-07-12T18:51:52Z DEBUG add: 'cn=sudorules, cn=sudo, dc=rsinc,dc=local' to schema-compat-search-base, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['cn=sudorules, cn=sudo, dc=rsinc,dc=local'] 2016-07-12T18:51:52Z DEBUG add: '(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))' to schema-compat-search-filter, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))'] 2016-07-12T18:51:52Z DEBUG add: '%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")' to schema-compat-entry-rdn, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")'] 2016-07-12T18:51:52Z DEBUG add: 'objectclass=sudoRole' to schema-compat-entry-attribute, current value [] 2016-07-12T18:51:52Z DEBUG add: updated value ['objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")' to schema-compat-entry-attribute, current value ['objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")' to schema-compat-entry-attribute, current value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'objectclass=sudoRole', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")' to schema-compat-entry-attribute, current value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")' to schema-compat-entry-attribute, current value ['sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\\"ipaSudoRunAsGroup\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: 'sudoOption=%{ipaSudoOpt}' to schema-compat-entry-attribute, current value ['sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\\"ipaSudoRunAsGroup\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")'] 2016-07-12T18:51:52Z DEBUG add: updated value ['sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\\",\\"member\\",\\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\\",\\"fqdn\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\\"memberUser\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\\",\\"cn\\")")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\\"memberUser\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")', 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\\"ipaSudoRunAsGroup\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\\"memberHost\\",\\"(objectclass=ipaHost)\\",\\"fqdn\\")")', 'objectclass=sudoRole', 'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\\"memberUser\\",\\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\\",\\"member\\",\\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\\",\\"uid\\")")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\\"memberAllowCmd\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixAccount)\\",\\"uid\\")")', 'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\\"memberUser\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\\"ipaSudoRunAs\\",\\"(objectclass=posixGroup)\\",\\"cn\\")")', 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}")', 'sudoCommand=!%deref("memberDenyCmd","sudoCmd")', 'sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd")', 'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\\"memberAllowCmd\\",\\"member\\",\\"sudoCmd\\")")', 'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\\"memberHost\\",\\"(objectclass=ipaNisNetgroup)\\",\\"cn\\")")', 'sudoOption=%{ipaSudoOpt}'] 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%{ipaSudoRunAsExtUserGroup}") 2016-07-12T18:51:52Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}") 2016-07-12T18:51:52Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")") 2016-07-12T18:51:52Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") 2016-07-12T18:51:52Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")") 2016-07-12T18:51:52Z DEBUG sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}") 2016-07-12T18:51:52Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") 2016-07-12T18:51:52Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") 2016-07-12T18:51:52Z DEBUG sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")") 2016-07-12T18:51:52Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") 2016-07-12T18:51:52Z DEBUG objectclass=sudoRole 2016-07-12T18:51:52Z DEBUG sudoOption=%{ipaSudoOpt} 2016-07-12T18:51:52Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")") 2016-07-12T18:51:52Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")") 2016-07-12T18:51:52Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}") 2016-07-12T18:51:52Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")") 2016-07-12T18:51:52Z DEBUG sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") 2016-07-12T18:51:52Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")") 2016-07-12T18:51:52Z DEBUG sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%{ipaSudoRunAsExtUser}") 2016-07-12T18:51:52Z DEBUG sudoCommand=!%deref("memberDenyCmd","sudoCmd") 2016-07-12T18:51:52Z DEBUG sudoCommand=!%deref_r("memberDenyCmd","member","sudoCmd") 2016-07-12T18:51:52Z DEBUG sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") 2016-07-12T18:51:52Z DEBUG sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}") 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG sudoers 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE))) 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}") 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=sudorules, cn=sudo, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG ou=SUDOers, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG New entry: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG objectclass=device 2016-07-12T18:51:52Z DEBUG cn=%{fqdn} 2016-07-12T18:51:52Z DEBUG macAddress=%{macAddress} 2016-07-12T18:51:52Z DEBUG objectclass=ieee802Device 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG computers 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=computers 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG cn=%first("%{fqdn}") 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=computers, cn=accounts, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config 2016-07-12T18:51:52Z DEBUG schema-compat-entry-attribute: 2016-07-12T18:51:52Z DEBUG objectclass=device 2016-07-12T18:51:52Z DEBUG cn=%{fqdn} 2016-07-12T18:51:52Z DEBUG macAddress=%{macAddress} 2016-07-12T18:51:52Z DEBUG objectclass=ieee802Device 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG computers 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG extensibleObject 2016-07-12T18:51:52Z DEBUG schema-compat-search-filter: 2016-07-12T18:51:52Z DEBUG (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) 2016-07-12T18:51:52Z DEBUG schema-compat-container-rdn: 2016-07-12T18:51:52Z DEBUG cn=computers 2016-07-12T18:51:52Z DEBUG schema-compat-entry-rdn: 2016-07-12T18:51:52Z DEBUG cn=%first("%{fqdn}") 2016-07-12T18:51:52Z DEBUG schema-compat-search-base: 2016-07-12T18:51:52Z DEBUG cn=computers, cn=accounts, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG schema-compat-container-group: 2016-07-12T18:51:52Z DEBUG cn=compat, dc=rsinc,dc=local 2016-07-12T18:51:52Z DEBUG Updating existing entry: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Initial value 2016-07-12T18:51:52Z DEBUG dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG directoryServerFeature 2016-07-12T18:51:52Z DEBUG aci: 2016-07-12T18:51:52Z DEBUG (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";) 2016-07-12T18:51:52Z DEBUG oid: 2016-07-12T18:51:52Z DEBUG 2.16.840.1.113730.3.4.9 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG VLV Request Control 2016-07-12T18:51:52Z DEBUG only: set aci to '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )', current value ['(targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)'] 2016-07-12T18:51:52Z DEBUG only: updated value ['(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'] 2016-07-12T18:51:52Z DEBUG --------------------------------------------- 2016-07-12T18:51:52Z DEBUG Final value after applying updates 2016-07-12T18:51:52Z DEBUG dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 2016-07-12T18:51:52Z DEBUG objectClass: 2016-07-12T18:51:52Z DEBUG top 2016-07-12T18:51:52Z DEBUG directoryServerFeature 2016-07-12T18:51:52Z DEBUG aci: 2016-07-12T18:51:52Z DEBUG (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; ) 2016-07-12T18:51:52Z DEBUG oid: 2016-07-12T18:51:52Z DEBUG 2.16.840.1.113730.3.4.9 2016-07-12T18:51:52Z DEBUG cn: 2016-07-12T18:51:52Z DEBUG VLV Request Control 2016-07-12T18:51:52Z DEBUG [(0, u'aci', ['(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )']), (1, u'aci', ['(targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";)'])] 2016-07-12T18:51:52Z DEBUG Updated 1 2016-07-12T18:51:52Z DEBUG Done 2016-07-12T18:51:52Z DEBUG Destroyed connection context.ldap2_146012240 2016-07-12T18:51:52Z DEBUG duration: 1 seconds 2016-07-12T18:51:52Z DEBUG [35/38]: activating sidgen plugin 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpHNifK0' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpu7gGVO' 2016-07-12T18:51:52Z DEBUG Process finished, return code=0 2016-07-12T18:51:52Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: IPA SIDGEN add nsslapd-pluginpath: libipa_sidgen add nsslapd-plugininitfunc: ipa_sidgen_init add nsslapd-plugintype: postoperation add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_sidgen_postop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: Red Hat, Inc. add nsslapd-plugindescription: IPA SIDGEN post operation add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=rsinc,dc=local adding new entry "cn=IPA SIDGEN,cn=plugins,cn=config" modify complete 2016-07-12T18:51:52Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:52Z DEBUG duration: 0 seconds 2016-07-12T18:51:52Z DEBUG [36/38]: activating extdom plugin 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpIyfltw' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpk7JxMO' 2016-07-12T18:51:52Z DEBUG Process finished, return code=0 2016-07-12T18:51:52Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_extdom_extop add nsslapd-pluginpath: libipa_extdom_extop add nsslapd-plugininitfunc: ipa_extdom_init add nsslapd-plugintype: extendedop add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_extdom_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support resolving IDs in trusted domains to names and back add nsslapd-plugin-depends-on-type: database add nsslapd-basedn: dc=rsinc,dc=local adding new entry "cn=ipa_extdom_extop,cn=plugins,cn=config" modify complete 2016-07-12T18:51:52Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:51:52Z DEBUG duration: 0 seconds 2016-07-12T18:51:52Z DEBUG [37/38]: tuning directory server 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/usr/sbin/selinuxenabled' 2016-07-12T18:51:52Z DEBUG Process finished, return code=0 2016-07-12T18:51:52Z DEBUG stdout= 2016-07-12T18:51:52Z DEBUG stderr= 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/dirsrv.systemd' 2016-07-12T18:51:52Z DEBUG Process finished, return code=0 2016-07-12T18:51:52Z DEBUG stdout= 2016-07-12T18:51:52Z DEBUG stderr= 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-07-12T18:51:52Z DEBUG Process finished, return code=0 2016-07-12T18:51:52Z DEBUG stdout= 2016-07-12T18:51:52Z DEBUG stderr= 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2016-07-12T18:51:52Z DEBUG Process finished, return code=0 2016-07-12T18:51:52Z DEBUG stdout= 2016-07-12T18:51:52Z DEBUG stderr= 2016-07-12T18:51:52Z DEBUG Starting external process 2016-07-12T18:51:52Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:52:01Z DEBUG Process finished, return code=0 2016-07-12T18:52:01Z DEBUG stdout= 2016-07-12T18:52:01Z DEBUG stderr= 2016-07-12T18:52:01Z DEBUG Starting external process 2016-07-12T18:52:01Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:52:01Z DEBUG Process finished, return code=0 2016-07-12T18:52:01Z DEBUG stdout=active 2016-07-12T18:52:01Z DEBUG stderr= 2016-07-12T18:52:01Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2016-07-12T18:52:02Z DEBUG Starting external process 2016-07-12T18:52:02Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:52:02Z DEBUG Process finished, return code=0 2016-07-12T18:52:02Z DEBUG stdout=active 2016-07-12T18:52:02Z DEBUG stderr= 2016-07-12T18:52:02Z DEBUG Starting external process 2016-07-12T18:52:02Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpBnJ9Ee' '-H' 'ldap://ipa03-aws.rsinc.local:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpYQYFCf' 2016-07-12T18:52:02Z DEBUG Process finished, return code=0 2016-07-12T18:52:02Z DEBUG stdout=replace nsslapd-maxdescriptors: 8192 replace nsslapd-reservedescriptors: 64 modifying entry "cn=config" modify complete 2016-07-12T18:52:02Z DEBUG stderr=ldap_initialize( ldap://ipa03-aws.rsinc.local:389/??base ) 2016-07-12T18:52:02Z DEBUG duration: 10 seconds 2016-07-12T18:52:02Z DEBUG [38/38]: configuring directory to start on boot 2016-07-12T18:52:02Z DEBUG Starting external process 2016-07-12T18:52:02Z DEBUG args='/bin/systemctl' 'is-enabled' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:52:02Z DEBUG Process finished, return code=0 2016-07-12T18:52:02Z DEBUG stdout=enabled 2016-07-12T18:52:02Z DEBUG stderr= 2016-07-12T18:52:02Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:02Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:02Z DEBUG Starting external process 2016-07-12T18:52:02Z DEBUG args='/bin/systemctl' 'disable' 'dirsrv at RSINC-LOCAL.service' 2016-07-12T18:52:02Z DEBUG Process finished, return code=0 2016-07-12T18:52:02Z DEBUG stdout= 2016-07-12T18:52:02Z DEBUG stderr=Removed symlink /etc/systemd/system/dirsrv.target.wants/dirsrv at RSINC-LOCAL.service. 2016-07-12T18:52:02Z DEBUG duration: 0 seconds 2016-07-12T18:52:02Z DEBUG Done configuring directory server (dirsrv). 2016-07-12T18:52:03Z DEBUG flushing ldaps://ipa01-aws.rsinc.local:636 from SchemaCache 2016-07-12T18:52:03Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa01-aws.rsinc.local:636 conn= 2016-07-12T18:52:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:04Z DEBUG raw: dnszone_show(u'242.0.40.10.in-addr.arpa.', version=u'2.156') 2016-07-12T18:52:04Z DEBUG dnszone_show(, rights=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:04Z DEBUG raw: dnszone_show(u'0.40.10.in-addr.arpa.', version=u'2.156') 2016-07-12T18:52:04Z DEBUG dnszone_show(, rights=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:04Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_ldap._tcp', srvrecord=u'0 100 389 ipa03-aws', version=u'2.156') 2016-07-12T18:52:04Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 389 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:06Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:06Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:06Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_kerberos._tcp', srvrecord=u'0 100 88 ipa03-aws', version=u'2.156') 2016-07-12T18:52:06Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:07Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:07Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_kerberos._udp', srvrecord=u'0 100 88 ipa03-aws', version=u'2.156') 2016-07-12T18:52:07Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:08Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:08Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_kerberos-master._tcp', srvrecord=u'0 100 88 ipa03-aws', version=u'2.156') 2016-07-12T18:52:08Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:09Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:09Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:09Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_kerberos-master._udp', srvrecord=u'0 100 88 ipa03-aws', version=u'2.156') 2016-07-12T18:52:09Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 88 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:10Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_kpasswd._tcp', srvrecord=u'0 100 464 ipa03-aws', version=u'2.156') 2016-07-12T18:52:10Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 464 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:11Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_kpasswd._udp', srvrecord=u'0 100 464 ipa03-aws', version=u'2.156') 2016-07-12T18:52:11Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 464 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:12Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:12Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:12Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'_ntp._udp', srvrecord=u'0 100 123 ipa03-aws', version=u'2.156') 2016-07-12T18:52:12Z DEBUG dnsrecord_add(, , a_extra_create_reverse=False, aaaa_extra_create_reverse=False, srvrecord=(u'0 100 123 ipa03-aws',), force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:15Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:15Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:15Z DEBUG raw: dnszone_show(u'rsinc.local', version=u'2.156') 2016-07-12T18:52:15Z DEBUG dnszone_show(, rights=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:15Z DEBUG raw: dnsrecord_add(u'rsinc.local', u'ipa03-aws', arecord=u'1', version=u'2.156') 2016-07-12T18:52:15Z DEBUG dnsrecord_add(, , arecord=(u'1',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.156') 2016-07-12T18:52:15Z INFO Replica DNS records could not be added on master: invalid 'ip_address': Gettext('invalid IP address format', domain='ipa', localedir=None) 2016-07-12T18:52:15Z DEBUG Destroyed connection context.ldap2_90329936 2016-07-12T18:52:15Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:15Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:15Z DEBUG Starting external process 2016-07-12T18:52:15Z DEBUG args='keyctl' 'get_persistent' '@s' '0' 2016-07-12T18:52:15Z DEBUG Process finished, return code=0 2016-07-12T18:52:15Z DEBUG stdout=173686621 2016-07-12T18:52:15Z DEBUG stderr= 2016-07-12T18:52:15Z DEBUG Enabling persistent keyring CCACHE 2016-07-12T18:52:15Z DEBUG Starting external process 2016-07-12T18:52:15Z DEBUG args='/bin/systemctl' 'is-active' 'krb5kdc.service' 2016-07-12T18:52:15Z DEBUG Process finished, return code=3 2016-07-12T18:52:15Z DEBUG stdout=unknown 2016-07-12T18:52:15Z DEBUG stderr= 2016-07-12T18:52:15Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:15Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-07-12T18:52:15Z DEBUG Starting external process 2016-07-12T18:52:15Z DEBUG args='/bin/systemctl' 'stop' 'krb5kdc.service' 2016-07-12T18:52:15Z DEBUG Process finished, return code=0 2016-07-12T18:52:15Z DEBUG stdout= 2016-07-12T18:52:15Z DEBUG stderr= 2016-07-12T18:52:15Z DEBUG Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds 2016-07-12T18:52:15Z DEBUG [1/8]: adding sasl mappings to the directory 2016-07-12T18:52:15Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket from SchemaCache 2016-07-12T18:52:15Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket conn= 2016-07-12T18:52:16Z DEBUG duration: 1 seconds 2016-07-12T18:52:16Z DEBUG [2/8]: configuring KDC 2016-07-12T18:52:16Z DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/kdc.conf' 2016-07-12T18:52:16Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:16Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2016-07-12T18:52:16Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:16Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb5.ini' 2016-07-12T18:52:16Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:16Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krb.con' 2016-07-12T18:52:16Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:16Z DEBUG Backing up system configuration file '/usr/share/ipa/html/krbrealm.con' 2016-07-12T18:52:16Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:16Z DEBUG Starting external process 2016-07-12T18:52:16Z DEBUG args='klist' '-V' 2016-07-12T18:52:16Z DEBUG Process finished, return code=0 2016-07-12T18:52:16Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-07-12T18:52:16Z DEBUG stderr= 2016-07-12T18:52:16Z DEBUG Backing up system configuration file '/etc/sysconfig/krb5kdc' 2016-07-12T18:52:16Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:16Z DEBUG Starting external process 2016-07-12T18:52:16Z DEBUG args='/usr/sbin/selinuxenabled' 2016-07-12T18:52:16Z DEBUG Process finished, return code=0 2016-07-12T18:52:16Z DEBUG stdout= 2016-07-12T18:52:16Z DEBUG stderr= 2016-07-12T18:52:16Z DEBUG Starting external process 2016-07-12T18:52:16Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/krb5kdc' 2016-07-12T18:52:16Z DEBUG Process finished, return code=0 2016-07-12T18:52:16Z DEBUG stdout= 2016-07-12T18:52:16Z DEBUG stderr= 2016-07-12T18:52:16Z DEBUG duration: 0 seconds 2016-07-12T18:52:16Z DEBUG [3/8]: creating a keytab for the directory 2016-07-12T18:52:16Z DEBUG Starting external process 2016-07-12T18:52:16Z DEBUG args='kadmin.local' '-q' 'addprinc -randkey ldap/ipa03-aws.rsinc.local at RSINC.LOCAL' '-x' 'ipa-setup-override-restrictions' 2016-07-12T18:52:16Z DEBUG Process finished, return code=0 2016-07-12T18:52:16Z DEBUG stdout=Authenticating as principal root/admin at RSINC.LOCAL with password. Principal "ldap/ipa03-aws.rsinc.local at RSINC.LOCAL" created. 2016-07-12T18:52:16Z DEBUG stderr=WARNING: no policy specified for ldap/ipa03-aws.rsinc.local at RSINC.LOCAL; defaulting to no policy 2016-07-12T18:52:17Z DEBUG Backing up system configuration file '/etc/dirsrv/ds.keytab' 2016-07-12T18:52:17Z DEBUG -> Not backing up - '/etc/dirsrv/ds.keytab' doesn't exist 2016-07-12T18:52:17Z DEBUG Starting external process 2016-07-12T18:52:17Z DEBUG args='kadmin.local' '-q' 'ktadd -k /etc/dirsrv/ds.keytab ldap/ipa03-aws.rsinc.local at RSINC.LOCAL' '-x' 'ipa-setup-override-restrictions' 2016-07-12T18:52:17Z DEBUG Process finished, return code=0 2016-07-12T18:52:17Z DEBUG stdout=Authenticating as principal root/admin at RSINC.LOCAL with password. Entry for principal ldap/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. Entry for principal ldap/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/dirsrv/ds.keytab. 2016-07-12T18:52:17Z DEBUG stderr= 2016-07-12T18:52:17Z DEBUG duration: 0 seconds 2016-07-12T18:52:17Z DEBUG [4/8]: creating a keytab for the machine 2016-07-12T18:52:17Z DEBUG Starting external process 2016-07-12T18:52:17Z DEBUG args='kadmin.local' '-q' 'addprinc -randkey host/ipa03-aws.rsinc.local at RSINC.LOCAL' '-x' 'ipa-setup-override-restrictions' 2016-07-12T18:52:17Z DEBUG Process finished, return code=0 2016-07-12T18:52:17Z DEBUG stdout=Authenticating as principal root/admin at RSINC.LOCAL with password. Principal "host/ipa03-aws.rsinc.local at RSINC.LOCAL" created. 2016-07-12T18:52:17Z DEBUG stderr=WARNING: no policy specified for host/ipa03-aws.rsinc.local at RSINC.LOCAL; defaulting to no policy 2016-07-12T18:52:17Z DEBUG Backing up system configuration file '/etc/krb5.keytab' 2016-07-12T18:52:17Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-07-12T18:52:17Z DEBUG Starting external process 2016-07-12T18:52:17Z DEBUG args='kadmin.local' '-q' 'ktadd -k /etc/krb5.keytab host/ipa03-aws.rsinc.local at RSINC.LOCAL' '-x' 'ipa-setup-override-restrictions' 2016-07-12T18:52:17Z DEBUG Process finished, return code=0 2016-07-12T18:52:17Z DEBUG stdout=Authenticating as principal root/admin at RSINC.LOCAL with password. Entry for principal host/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ipa03-aws.rsinc.local at RSINC.LOCAL with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. 2016-07-12T18:52:17Z DEBUG stderr= 2016-07-12T18:52:17Z DEBUG duration: 0 seconds 2016-07-12T18:52:17Z DEBUG [5/8]: adding the password extension to the directory 2016-07-12T18:52:17Z DEBUG Starting external process 2016-07-12T18:52:17Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpsCS1tk' '-H' 'ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpO1Mz2N' 2016-07-12T18:52:17Z DEBUG Process finished, return code=0 2016-07-12T18:52:17Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_pwd_extop add nsslapd-pluginpath: libipa_pwd_extop add nsslapd-plugininitfunc: ipapwd_init add nsslapd-plugintype: extendedop add nsslapd-pluginbetxn: on add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_pwd_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) add nsslapd-plugin-depends-on-type: database add nsslapd-realmTree: dc=rsinc,dc=local adding new entry "cn=ipa_pwd_extop,cn=plugins,cn=config" modify complete 2016-07-12T18:52:17Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-RSINC-LOCAL.socket/??base ) 2016-07-12T18:52:17Z DEBUG duration: 0 seconds 2016-07-12T18:52:17Z DEBUG [6/8]: enable GSSAPI for replication 2016-07-12T18:52:18Z DEBUG flushing ldaps://ipa03-aws.rsinc.local:636 from SchemaCache 2016-07-12T18:52:18Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa03-aws.rsinc.local:636 conn= 2016-07-12T18:52:18Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:19Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:20Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:20Z DEBUG flushing ldaps://ipa01-aws.rsinc.local:636 from SchemaCache 2016-07-12T18:52:20Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa01-aws.rsinc.local:636 conn= 2016-07-12T18:52:22Z INFO Setting agreement cn=meToipa03-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:24Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa03-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:26Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-07-12T18:52:26Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:26Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:26Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:28Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:29Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:29Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:29Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:29Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:30Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:31Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:31Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:31Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:31Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:32Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:33Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:33Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:33Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:33Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:34Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:35Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:35Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:35Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:35Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:37Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:37Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:38Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:38Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:39Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:40Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:40Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:40Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:40Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:41Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:42Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:42Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:42Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:42Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:43Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:44Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:44Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:45Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:45Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:46Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:47Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:47Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:47Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:47Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:48Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:49Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:49Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:49Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:49Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:50Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:51Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:51Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:51Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:51Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:52Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:53Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:53Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:53Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:53Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:54Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:55Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:55Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:55Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:55Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:56Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:57Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:57Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:57Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:57Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:52:58Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:52:59Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:52:59Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:52:59Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:52:59Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:00Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:01Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:01Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:02Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:02Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:03Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:04Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:04Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:05Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:05Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:06Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:07Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:07Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:07Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:07Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:08Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:09Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:09Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:09Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:09Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:10Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:11Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:11Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:11Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:11Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:12Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:13Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:13Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:13Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:13Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:14Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:15Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:15Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:15Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:15Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:16Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:17Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:17Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:17Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:17Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:18Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:19Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:19Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:19Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:19Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:20Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:21Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:21Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:22Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:22Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:23Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:24Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:24Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:24Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:24Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:25Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:26Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:26Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:26Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:26Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:27Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:28Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:28Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:29Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:29Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:30Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:31Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:31Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:31Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:31Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:32Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:33Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:33Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:33Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:33Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:34Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:35Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:35Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:36Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:36Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:37Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:38Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:38Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:38Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:38Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:39Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:40Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:40Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:41Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:41Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:42Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:43Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:43Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:43Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:43Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:44Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:45Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:45Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:45Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:45Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:46Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:47Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:47Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:47Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:47Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:48Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:49Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:49Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:49Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:49Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:50Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:51Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:51Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:52Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:52Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:53Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:54Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:54Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:54Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:54Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:55Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:56Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:56Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:57Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:57Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:53:58Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:53:59Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:53:59Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:53:59Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:53:59Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:00Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:01Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:01Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:01Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:01Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:02Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:03Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:03Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:03Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:03Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:04Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:05Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:05Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:05Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:05Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:06Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:07Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:07Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:08Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:08Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:09Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:10Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:10Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:10Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:10Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:11Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:12Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:12Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:12Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:12Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:13Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:14Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:14Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:15Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:15Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:16Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:17Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:17Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:17Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:17Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:18Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:19Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:19Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:19Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:19Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:20Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:21Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:21Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:21Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:21Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:22Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:23Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:23Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:23Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:23Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:24Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:25Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:25Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:26Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:26Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:27Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:28Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:28Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:28Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:28Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:29Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:30Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:30Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:30Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:30Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:31Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:32Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:32Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:32Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:32Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:33Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:34Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:34Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:35Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:35Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:37Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:37Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:37Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:37Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:38Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:39Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:39Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:39Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:39Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:40Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:41Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:41Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:41Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:41Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:42Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:43Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:43Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:43Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:43Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:44Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:45Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:45Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:46Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:46Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:47Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:48Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:48Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:49Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:49Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:50Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:51Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:51Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:51Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:51Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:52Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:53Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:53Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:54Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:54Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:55Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:56Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:56Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:56Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:56Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:57Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:54:58Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:54:58Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:54:58Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:54:58Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:54:59Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:00Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:00Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:00Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:00Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:01Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:02Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:02Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:02Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:02Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:03Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:04Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:04Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:04Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:04Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:05Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:06Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:06Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:07Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:07Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:08Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:09Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:09Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:09Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:09Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:10Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:11Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:11Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:11Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:11Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:12Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:13Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:13Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:13Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:13Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:14Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:15Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:15Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:15Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:15Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:16Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:17Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:17Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:17Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:17Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:18Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:19Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:19Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:19Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:19Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:20Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:21Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:21Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:21Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:21Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:23Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:24Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:24Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:24Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:24Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:25Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:26Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:26Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:26Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:26Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:27Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:28Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:28Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:28Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:28Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:29Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:30Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:30Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:30Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:30Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:31Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:32Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:32Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:32Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:32Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:33Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:34Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:34Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:35Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:35Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:37Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:37Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:37Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:37Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:38Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:39Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:39Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:39Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:39Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:40Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:41Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:41Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:41Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:41Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:42Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:44Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:44Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:44Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:44Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:45Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:46Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:46Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:46Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:46Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:47Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:48Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:48Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:49Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:49Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:50Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:51Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:51Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:51Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:51Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:52Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:53Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:53Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:53Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:53Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:54Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:55Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:55Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:55Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:55Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:56Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:57Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:57Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:57Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:57Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:55:58Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:55:59Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:55:59Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:55:59Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:55:59Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:56:00Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:56:01Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:56:01Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:56:01Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:56:01Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:56:02Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:56:03Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:56:03Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:56:04Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:56:04Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:56:05Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:56:06Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:56:06Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:56:06Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:56:06Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:56:07Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:56:08Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:56:08Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-07-12T18:56:09Z DEBUG Unable to find entry for (krbprincipalname=ldap/ipa03-aws.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-07-12T18:56:09Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-07-12T18:56:10Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-07-12T18:56:11Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-07-12T18:56:11Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica 2016-07-12T18:56:11Z DEBUG [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica 2016-07-12T18:56:11Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 539, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 901, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 618, in install krb = install_krb(config, setup_pkinit=not options.no_pkinit) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 93, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 214, in create_replica self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) 2016-07-12T18:56:11Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica 2016-07-12T18:56:11Z ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica From russ.kaehler at sprinklr.com Tue Jul 12 19:35:41 2016 From: russ.kaehler at sprinklr.com (Russ Kaehler) Date: Tue, 12 Jul 2016 15:35:41 -0400 Subject: [Freeipa-users] How does FreeIPA Fetch the Master DNS? Message-ID: Hello, I'd like to review the section of code specifically related to how FreeIPA fetches the master DNS. When I run this: ipa -vv user-show admin The following printout emerges: ipa: INFO: trying https://nqa-ipa-master-int.sprinklr.com/ipa/json ipa: INFO: Forwarding 'user_show' to json server ' https://nqa-ipa-master-int.sprinklr.com/ipa/json' ipa: INFO: Request: { "id": 0, "method": "user_show", "params": [ [ "admin" ], { "all": false, "no_members": false, "raw": false, "rights": false, Where in the code does this line get populated with the DNS URI? ipa: INFO: trying https://ipa-master.foo.com/ipa/json It will occasionally attempt to connect to the wrong DNS server and I'd like to correct that behavior. My request is specifically to know where to look in the code so I can investigate this matter. Cheers, Russ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 12 19:46:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jul 2016 15:46:23 -0400 Subject: [Freeipa-users] How does FreeIPA Fetch the Master DNS? In-Reply-To: References: Message-ID: <5785490F.5060403@redhat.com> Russ Kaehler wrote: > Hello, > > I'd like to review the section of code specifically related to how > FreeIPA fetches the master DNS. When I run this: > > ipa -vv user-show admin > > > The following printout emerges: > > > ipa: INFO: trying https://nqa-ipa-master-int.sprinklr.com/ipa/json > ipa: INFO: Forwarding 'user_show' to json server > 'https://nqa-ipa-master-int.sprinklr.com/ipa/json' > ipa: INFO: Request: { > "id": 0, > "method": "user_show", > "params": [ [ "admin" ], > { "all": false, "no_members": false, "raw": false, "rights": false, > > Where in the code does this line get populated with the DNS URI? > > ipa: INFO: trying https://ipa-master.foo.com/ipa/json > > > It will occasionally attempt to connect to the wrong DNS server and I'd > like to correct that behavior. My request is specifically to know where > to look in the code so I can investigate this matter. Not sure if this is a terminology issue or not but it isn't contacting DNS servers, it is contacting an IPA master (which may be the same as your DNS servers if IPA is serving DNS). It can get this from a number of places: DNS SRV records, /etc/ipa/default.conf or whatever is in the session cookie (depending on version of IPA). rob From dsullivan2 at bsd.uchicago.edu Tue Jul 12 20:11:28 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Tue, 12 Jul 2016 20:11:28 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) Message-ID: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> Hi, I am experiencing an HBAC issue that is proving to be very difficult to diagnose. It appears very closely related to the issue described in this thread (https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), except that clearing the cache does not fix the problem. I am further stumped by the fact that I have an additional machine that was deployed from an identical VMWare template image which IPA HBAC works correctly on. From a client perspective I am working with a fully updated version of RHEL 6.8 with ipa-client 3.0.0-50.el6.1 and sssd 1.13.3-22.el6. We have a domain with 2 IPA domain controllers (RHEL 7.2 and ipa-server 4.2.0-15.el7_2.6.1); I have since shut down one of the two domain controllers and cleared the cache (/var/lib/sssd/db/*) on both clients and restarted sssd (to isolate a potential replication problem between DCs); the HBAC rule validates correctly on the only remaining DC (basically an any any rule). HBAC (the ability to login via sshd) continues to work on only one of the two clients. >From what I can tell, both clients have the same version of all ipa-client and sssd (and presumably related packages as both clients are fully updated). I have compared their /etc/sshd/sshd_config, /etc/sssd/sssd.conf and all configurations in /etc/pam.d and both systems appear consistent. I feel that it is worthwhile to mention that I believe that one of the two machines in question (the one that is not working) was bound as a CentrifyDC client. We are planning on replacing CentrifyDC with FreeIPA (for several reasons), so it is important that we are able to take an existing CentrifyDC client, unbind it, uninstall the CentrifyDC package(s), and install FreeIPA in its place. Regardless of whether CentrifyDC was previously installed, I feel that my somewhat thorough examination of /etc/sshd/sshd_config and the contents of /etc/pam.d would negate any potential residual configuration from Centrify that would cause this sort of problem. I have posted my domain log here: http://pastebin.com/41KeSnq4 It is also probably worthwhile to mention that I am authenticating as a user in a trusted domain, although I believe this should be apparent in the the pastebin. I am hoping that a subject matter expert in IPA and or SSSD would be able to help me further diagnose the access denied by HBAC entry that is present in the pastebin specified above. As I said, I have cleared /var/lib/sss/db/* and reinstalled IPA-client several times. I have also rebooted the system completely. Thank you for considering helping me; I appreciate your time and expertise. Best, Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From jstephen at redhat.com Tue Jul 12 21:12:54 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Tue, 12 Jul 2016 17:12:54 -0400 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> Message-ID: <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> Hello, I am assuming this is the AD trust user that is having the problem with HBAC, in my testing I was only allowed access when the HBAC rule is linked to the IDM POSIX AD trust group and not the external group used to retrieve AD trust users. I noticed the following in the logs which is why I mention this: /(Tue Jul 12 13:30:12 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_user_attrs_to_rule] (0x2000): Added non-POSIX group [cri-cri_server_administrators_external] to rule [cri-cri_server_administrators_allow_all]/ If this does not help, could you share with us more about the HBAC rule 'cri-cri_server_administrators_allow_all' and how it is configured? # ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Kind regards, Justin Stephenson On 07/12/2016 04:11 PM, Sullivan, Daniel [AAA] wrote: > Hi, > > I am experiencing an HBAC issue that is proving to be very difficult to diagnose. It appears very closely related to the issue described in this thread (https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), except that clearing the cache does not fix the problem. I am further stumped by the fact that I have an additional machine that was deployed from an identical VMWare template image which IPA HBAC works correctly on. From a client perspective I am working with a fully updated version of RHEL 6.8 with ipa-client 3.0.0-50.el6.1 and sssd 1.13.3-22.el6. We have a domain with 2 IPA domain controllers (RHEL 7.2 and ipa-server 4.2.0-15.el7_2.6.1); I have since shut down one of the two domain controllers and cleared the cache (/var/lib/sssd/db/*) on both clients and restarted sssd (to isolate a potential replication problem between DCs); the HBAC rule validates correctly on the only remaining DC (basically an! > any any rule). HBAC (the ability to login via sshd) continues to work on only one of the two clients. > > >From what I can tell, both clients have the same version of all ipa-client and sssd (and presumably related packages as both clients are fully updated). I have compared their /etc/sshd/sshd_config, /etc/sssd/sssd.conf and all configurations in /etc/pam.d and both systems appear consistent. > > I feel that it is worthwhile to mention that I believe that one of the two machines in question (the one that is not working) was bound as a CentrifyDC client. We are planning on replacing CentrifyDC with FreeIPA (for several reasons), so it is important that we are able to take an existing CentrifyDC client, unbind it, uninstall the CentrifyDC package(s), and install FreeIPA in its place. Regardless of whether CentrifyDC was previously installed, I feel that my somewhat thorough examination of /etc/sshd/sshd_config and the contents of /etc/pam.d would negate any potential residual configuration from Centrify that would cause this sort of problem. I have posted my domain log here: http://pastebin.com/41KeSnq4 > > It is also probably worthwhile to mention that I am authenticating as a user in a trusted domain, although I believe this should be apparent in the the pastebin. > > I am hoping that a subject matter expert in IPA and or SSSD would be able to help me further diagnose the access denied by HBAC entry that is present in the pastebin specified above. As I said, I have cleared /var/lib/sss/db/* and reinstalled IPA-client several times. I have also rebooted the system completely. > > Thank you for considering helping me; I appreciate your time and expertise. > > Best, > > Dan > > > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to which > it is addressed and may contain information that is privileged and confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > ******************************************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsullivan2 at bsd.uchicago.edu Tue Jul 12 22:07:10 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Tue, 12 Jul 2016 22:07:10 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> Message-ID: <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> Justin, I really appreciate you taking the time to respond to me. This problem is driving me crazy and I will certainly take any help I can get. My suspicion is that the external user group in the policy below was causing the log entry you specified, removing it from the policy does not remediate the problem, even after flushing the client cache. The way I have this setup is as follows: 1) I created a POSIX group in IPA named 'cri-cri_server_administrators_ipa? and allowed IPA to assign the GID. 2) I created an external group in IPA named 'cri-cri_server_administrators_external? and added the AD group in the trusted domain as an external member to this group (cri-cri_server_administrators at bsdad.uchicago.edu). 3) I added the group cri-cri_server_administrators_external as a member of 'cri-cri_server_administrators_ipa? The HBAC rule is configured as (removing the external group does not seem to make a difference). [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Rule name: cri-cri_server_administrators_allow_all Host category: all Service category: all Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine Enabled: TRUE User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa [root at cri-ksysipadcp2 a.cri.dsullivan]# For example, the problem still persists when the policy is configured in this manner: [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Rule name: cri-cri_server_administrators_allow_all Host category: all Service category: all Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine Enabled: TRUE User Groups: cri-cri_server_administrators_ipa And my login validates against the host in question as follows: As I said I have this working consistently (i.e. can flush the cash) on another host with the same exact version of IPA and SSSD. Here is a validation of hbactest (works with either of the two policy configurations above). [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbactest User name: a.cri.dsullivan at bsdad.uchicago.edu Target host: cri-kcriwebgdp1.cri.uchicago.edu Service: sshd -------------------- Access granted: True -------------------- Matched rules: cri-cri_server_administrators_allow_all Not matched rules: cri-hpc_server_administration Not matched rules: Gardner_cluster_login_no_ssh Not matched rules: s.cri.ipa-idprovisioner_domain_controllers [root at cri-ksysipadcp2 a.cri.dsullivan]# Thank you again for your response. Best, Dan On Jul 12, 2016, at 4:12 PM, Justin Stephenson > wrote: Hello, I am assuming this is the AD trust user that is having the problem with HBAC, in my testing I was only allowed access when the HBAC rule is linked to the IDM POSIX AD trust group and not the external group used to retrieve AD trust users. I noticed the following in the logs which is why I mention this: (Tue Jul 12 13:30:12 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_user_attrs_to_rule] (0x2000): Added non-POSIX group [cri-cri_server_administrators_external] to rule [cri-cri_server_administrators_allow_all] If this does not help, could you share with us more about the HBAC rule 'cri-cri_server_administrators_allow_all' and how it is configured? # ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Kind regards, Justin Stephenson On 07/12/2016 04:11 PM, Sullivan, Daniel [AAA] wrote: Hi, I am experiencing an HBAC issue that is proving to be very difficult to diagnose. It appears very closely related to the issue described in this thread (https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), except that clearing the cache does not fix the problem. I am further stumped by the fact that I have an additional machine that was deployed from an identical VMWare template image which IPA HBAC works correctly on. From a client perspective I am working with a fully updated version of RHEL 6.8 with ipa-client 3.0.0-50.el6.1 and sssd 1.13.3-22.el6. We have a domain with 2 IPA domain controllers (RHEL 7.2 and ipa-server 4.2.0-15.el7_2.6.1); I have since shut down one of the two domain controllers and cleared the cache (/var/lib/sssd/db/*) on both clients and restarted sssd (to isolate a potential replication problem between DCs); the HBAC rule validates correctly on the only remaining DC (basically an! any any rule). HBAC (the ability to login via sshd) continues to work on only one of the two clients. >From what I can tell, both clients have the same version of all ipa-client and sssd (and presumably related packages as both clients are fully updated). I have compared their /etc/sshd/sshd_config, /etc/sssd/sssd.conf and all configurations in /etc/pam.d and both systems appear consistent. I feel that it is worthwhile to mention that I believe that one of the two machines in question (the one that is not working) was bound as a CentrifyDC client. We are planning on replacing CentrifyDC with FreeIPA (for several reasons), so it is important that we are able to take an existing CentrifyDC client, unbind it, uninstall the CentrifyDC package(s), and install FreeIPA in its place. Regardless of whether CentrifyDC was previously installed, I feel that my somewhat thorough examination of /etc/sshd/sshd_config and the contents of /etc/pam.d would negate any potential residual configuration from Centrify that would cause this sort of problem. I have posted my domain log here: http://pastebin.com/41KeSnq4 It is also probably worthwhile to mention that I am authenticating as a user in a trusted domain, although I believe this should be apparent in the the pastebin. I am hoping that a subject matter expert in IPA and or SSSD would be able to help me further diagnose the access denied by HBAC entry that is present in the pastebin specified above. As I said, I have cleared /var/lib/sss/db/* and reinstalled IPA-client several times. I have also rebooted the system completely. Thank you for considering helping me; I appreciate your time and expertise. Best, Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From gjn at gjn.priv.at Tue Jul 12 22:39:22 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Wed, 13 Jul 2016 00:39:22 +0200 Subject: [Freeipa-users] (DRAFT) HA mail services with FreeIPA, postfix, dovecot, amavisd-new, clamd and PLAIN/GSSAPI SSO Message-ID: <1632136.za3UAMGVFv@techz> Hello, some days ago I found this doc, now I like to setup a secure mail server but the article is now missing? Can this come back? Thanks, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From edewata at redhat.com Wed Jul 13 00:22:19 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 12 Jul 2016 19:22:19 -0500 Subject: [Freeipa-users] Impossible to restart IPA because of the presence of a file called CS.cfg.bak.saved In-Reply-To: References: Message-ID: <75d00a9e-1d14-5985-7c0f-79d761f1ab34@redhat.com> On 7/12/2016 12:17 PM, bahan w wrote: > Hello everyone. > > I'm using ipa 3.0.0-47 on a RHEL6.6 OS (multi-masters). > > Today I tried to restart the IPA service with the commande > ### > service ipa restart > ### > > And I got the following warning concerning the pkica service : > ### > Since the file '/var/lib/pki-ca/conf/CS.cfg.bak.saved' exists, a > previous backup attempt has failed! Backups will be discontinued until > this issue has been resolved! > ### > > And then the service get KO. > > I wanted to know, may you tell me when this file CS.cfg.bak.saved is > created ? > Also, do you know why the presence of this file prevent the ipa service > to start ? > > Thank you in advance for your help. > > BR. > > Bahan Hi Bahan, To my understanding during CS.cfg backup process the old CS.cfg.bak is temporarily saved into the CS.cfg.bak.saved. When the backup is complete the CS.cfg.bak.saved should be removed automatically. In your case there might be something wrong in the CS.cfg that causes the backup to fail. Try comparing the CS.cfg with CS.cfg.bak.saved to see what has changed recently. If you find something wrong, shutdown the server, fix the CS.cfg, move CS.cfg.bak.saved somewhere else, then restart the server again. Please also check if the disk is full. If it's still not working please send the CA debug log (/var/log/pki-ca/debug) to pki-users mailing list or to RHEL support channel. Thanks. -- Endi S. Dewata From datakid at gmail.com Wed Jul 13 01:04:52 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 13 Jul 2016 11:04:52 +1000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> Message-ID: This is exactly the issue I'm seeing too, various differences, but the symptoms are the same. Main diff would be that sometimes stopping sssd, clearing cache and restarting sssd works, but only if individual AD domain members are added to the external group - not AD domain groups. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 13 July 2016 at 08:07, Sullivan, Daniel [AAA] < dsullivan2 at bsd.uchicago.edu> wrote: > Justin, > > I really appreciate you taking the time to respond to me. This problem is > driving me crazy and I will certainly take any help I can get. My suspicion > is that the external user group in the policy below was causing the log > entry you specified, removing it from the policy does not remediate the > problem, even after flushing the client cache. > > The way I have this setup is as follows: > > 1) I created a POSIX group in IPA named 'cri-cri_server_administrators_ipa< > https://cri-ksysipadcp2.cri.uchicago.edu/ipa/ui/#cri-cri_server_administrators_ipa>? > and allowed IPA to assign the GID. > 2) I created an external group in IPA named > 'cri-cri_server_administrators_external< > https://cri-ksysipadcp2.cri.uchicago.edu/ipa/ui/#cri-cri_server_administrators_external>? > and added the AD group in the trusted domain as an external member to this > group (cri-cri_server_administrators at bsdad.uchicago.edu cri-cri_server_administrators at bsdad.uchicago.edu>). > 3) I added the group cri-cri_server_administrators_external< > https://cri-ksysipadcp2.cri.uchicago.edu/ipa/ui/#cri-cri_server_administrators_external> > as a member of 'cri-cri_server_administrators_ipa< > https://cri-ksysipadcp2.cri.uchicago.edu/ipa/ui/#cri-cri_server_administrators_ipa > >? > > The HBAC rule is configured as (removing the external group does not seem > to make a difference). > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show > 'cri-cri_server_administrators_allow_all' > Rule name: cri-cri_server_administrators_allow_all > Host category: all > Service category: all > Description: Allow anyone in > cri-cri_server_administrators at bsdad.uchicago.edu cri-cri_server_administrators at bsdad.uchicago.edu> to login to any machine > Enabled: TRUE > User Groups: cri-cri_server_administrators_external, > cri-cri_server_administrators_ipa > [root at cri-ksysipadcp2 a.cri.dsullivan]# > > For example, the problem still persists when the policy is configured in > this manner: > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show > 'cri-cri_server_administrators_allow_all' > Rule name: cri-cri_server_administrators_allow_all > Host category: all > Service category: all > Description: Allow anyone in > cri-cri_server_administrators at bsdad.uchicago.edu cri-cri_server_administrators at bsdad.uchicago.edu> to login to any machine > Enabled: TRUE > User Groups: cri-cri_server_administrators_ipa > > And my login validates against the host in question as follows: > > As I said I have this working consistently (i.e. can flush the cash) on > another host with the same exact version of IPA and SSSD. Here is a > validation of hbactest (works with either of the two policy configurations > above). > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbactest > User name: a.cri.dsullivan at bsdad.uchicago.edu a.cri.dsullivan at bsdad.uchicago.edu> > Target host: cri-kcriwebgdp1.cri.uchicago.edu< > http://cri-kcriwebgdp1.cri.uchicago.edu> > Service: sshd > -------------------- > Access granted: True > -------------------- > Matched rules: cri-cri_server_administrators_allow_all > Not matched rules: cri-hpc_server_administration > Not matched rules: Gardner_cluster_login_no_ssh > Not matched rules: s.cri.ipa-idprovisioner_domain_controllers > [root at cri-ksysipadcp2 a.cri.dsullivan]# > > Thank you again for your response. > > Best, > > Dan > > On Jul 12, 2016, at 4:12 PM, Justin Stephenson > wrote: > > > Hello, > > I am assuming this is the AD trust user that is having the problem with > HBAC, in my testing I was only allowed access when the HBAC rule is linked > to the IDM POSIX AD trust group and not the external group used to retrieve > AD trust users. I noticed the following in the logs which is why I mention > this: > > (Tue Jul 12 13:30:12 2016) [sssd[be[ipa.cri.uchicago.edu< > http://ipa.cri.uchicago.edu>]]] [hbac_user_attrs_to_rule] (0x2000): Added > non-POSIX group [cri-cri_server_administrators_external] to rule > [cri-cri_server_administrators_allow_all] > > If this does not help, could you share with us more about the HBAC rule > 'cri-cri_server_administrators_allow_all' and how it is configured? > > # ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > > Kind regards, > > Justin Stephenson > > On 07/12/2016 04:11 PM, Sullivan, Daniel [AAA] wrote: > > Hi, > > I am experiencing an HBAC issue that is proving to be very difficult to > diagnose. It appears very closely related to the issue described in this > thread ( > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), > except that clearing the cache does not fix the problem. I am further > stumped by the fact that I have an additional machine that was deployed > from an identical VMWare template image which IPA HBAC works correctly on. > From a client perspective I am working with a fully updated version of RHEL > 6.8 with ipa-client 3.0.0-50.el6.1 and sssd 1.13.3-22.el6. We have a > domain with 2 IPA domain controllers (RHEL 7.2 and ipa-server > 4.2.0-15.el7_2.6.1); I have since shut down one of the two domain > controllers and cleared the cache (/var/lib/sssd/db/*) on both clients and > restarted sssd (to isolate a potential replication problem between DCs); > the HBAC rule validates correctly on the only remaining DC (basically an! > any any rule). HBAC (the ability to login via sshd) continues to work on > only one of the two clients. > > >From what I can tell, both clients have the same version of all > ipa-client and sssd (and presumably related packages as both clients are > fully updated). I have compared their /etc/sshd/sshd_config, > /etc/sssd/sssd.conf and all configurations in /etc/pam.d and both systems > appear consistent. > > I feel that it is worthwhile to mention that I believe that one of the two > machines in question (the one that is not working) was bound as a > CentrifyDC client. We are planning on replacing CentrifyDC with FreeIPA > (for several reasons), so it is important that we are able to take an > existing CentrifyDC client, unbind it, uninstall the CentrifyDC package(s), > and install FreeIPA in its place. Regardless of whether CentrifyDC was > previously installed, I feel that my somewhat thorough examination of > /etc/sshd/sshd_config and the contents of /etc/pam.d would negate any > potential residual configuration from Centrify that would cause this sort > of problem. I have posted my domain log here: > http://pastebin.com/41KeSnq4 > > It is also probably worthwhile to mention that I am authenticating as a > user in a trusted domain, although I believe this should be apparent in the > the pastebin. > > I am hoping that a subject matter expert in IPA and or SSSD would be able > to help me further diagnose the access denied by HBAC entry that is present > in the pastebin specified above. As I said, I have cleared > /var/lib/sss/db/* and reinstalled IPA-client several times. I have also > rebooted the system completely. > > Thank you for considering helping me; I appreciate your time and expertise. > > Best, > > Dan > > > > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to > which > it is addressed and may contain information that is privileged and > confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, > please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > > ******************************************************************************** > > > > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to > which > it is addressed and may contain information that is privileged and > confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, > please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > > ******************************************************************************** > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linuxguru.co at gmail.com Wed Jul 13 02:24:25 2016 From: linuxguru.co at gmail.com (Devin Acosta) Date: Tue, 12 Jul 2016 19:24:25 -0700 Subject: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl Message-ID: I was trying to create another Replica but then noticed it was constantly having issues trying to finish the joining of the replication. I then ran the command: repl-monitor.pl, It appears i have several replicaid's and they seem to be having issues, wondering if this is adding to my issue. Anyone know how I can resolve this issue and clean up the replication??? See attached Screenshot. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: replication-issue.pdf Type: application/pdf Size: 94076 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jul 13 06:10:07 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 13 Jul 2016 09:10:07 +0300 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> Message-ID: <20160713061007.ixdzzzhfhcqyvtar@redhat.com> On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: >Justin, > >I really appreciate you taking the time to respond to me. This problem >is driving me crazy and I will certainly take any help I can get. My >suspicion is that the external user group in the policy below was >causing the log entry you specified, removing it from the policy does >not remediate the problem, even after flushing the client cache. > >The way I have this setup is as follows: > >1) I created a POSIX group in IPA named >'cri-cri_server_administrators_ipa' and allowed IPA to assign the GID. >2) I created an external group in IPA named >'cri-cri_server_administrators_external? and added the AD group in the >trusted domain as an external member to this group >(cri-cri_server_administrators at bsdad.uchicago.edu). >3) I added the group cri-cri_server_administrators_external' as a >member of 'cri-cri_server_administrators_ipa? > >The HBAC rule is configured as (removing the external group does not >seem to make a difference). > >[root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > Rule name: cri-cri_server_administrators_allow_all > Host category: all > Service category: all > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine > Enabled: TRUE > User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa >[root at cri-ksysipadcp2 a.cri.dsullivan]# > >For example, the problem still persists when the policy is configured in this manner: > >[root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > Rule name: cri-cri_server_administrators_allow_all > Host category: all > Service category: all > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine > Enabled: TRUE > User Groups: cri-cri_server_administrators_ipa > >And my login validates against the host in question as follows: > >As I said I have this working consistently (i.e. can flush the cash) on >another host with the same exact version of IPA and SSSD. Here is a >validation of hbactest (works with either of the two policy >configurations above). I think you problems are related to this snippet of your domain log where SSSD on IPA client was unable to add membership of your user to any of these groups: (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for a.cri.dsullivan at bsdad.uchicago.edu (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_sms_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_cvs_repository at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-active_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa-bard04 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_developers at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa$ dma at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=a.cri.dsullivan at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_teleform_admins_prod at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_isilon_share at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-galaxy_web_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-hpc_allusers at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-all_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa-smaug03 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa-azog04 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-kraig_nas at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-cri_server_administrators_ipa,cn=groups,cn=ipa.cri.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_git_repository at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_asap_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa-treebeard03 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=domain users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=bsd$ a.acct at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=adm-dd-priv at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=psm-sms at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-all_groups at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaagroup at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-hpc_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_prodshop_loads at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-vandrogelen_nas at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-centrify_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_workflowgen_uat_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_psom_redmine_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-galaxy_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa-dan_sullivan at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa-gpo-admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-dssg_lab at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-backup_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-cri_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-aaa_teleform_admins_uat at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_update_members_ex] (0x0020): Could not add member [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=cri-training at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. Skipping. as result, the user is viewed by SSSD on this IPA client as not belonging to the cri-cri_server_administrators at bsdad.uchicago.edu group and thus, HBAC rule validation on this client fails. -- / Alexander Bokovoy From jhrozek at redhat.com Wed Jul 13 06:37:44 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 13 Jul 2016 08:37:44 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160713061007.ixdzzzhfhcqyvtar@redhat.com> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> Message-ID: <20160713063744.GM24683@hendrix> On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote: > On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: > > Justin, > > > > I really appreciate you taking the time to respond to me. This problem > > is driving me crazy and I will certainly take any help I can get. My > > suspicion is that the external user group in the policy below was > > causing the log entry you specified, removing it from the policy does > > not remediate the problem, even after flushing the client cache. > > > > The way I have this setup is as follows: > > > > 1) I created a POSIX group in IPA named > > 'cri-cri_server_administrators_ipa' and allowed IPA to assign the GID. > > 2) I created an external group in IPA named > > 'cri-cri_server_administrators_external? and added the AD group in the > > trusted domain as an external member to this group > > (cri-cri_server_administrators at bsdad.uchicago.edu). > > 3) I added the group cri-cri_server_administrators_external' as a > > member of 'cri-cri_server_administrators_ipa? > > > > The HBAC rule is configured as (removing the external group does not > > seem to make a difference). > > > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > > Rule name: cri-cri_server_administrators_allow_all > > Host category: all > > Service category: all > > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine > > Enabled: TRUE > > User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa > > [root at cri-ksysipadcp2 a.cri.dsullivan]# > > > > For example, the problem still persists when the policy is configured in this manner: > > > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > > Rule name: cri-cri_server_administrators_allow_all > > Host category: all > > Service category: all > > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine > > Enabled: TRUE > > User Groups: cri-cri_server_administrators_ipa > > > > And my login validates against the host in question as follows: > > > > As I said I have this working consistently (i.e. can flush the cash) on > > another host with the same exact version of IPA and SSSD. Here is a > > validation of hbactest (works with either of the two policy > > configurations above). > I think you problems are related to this snippet of your domain log > where SSSD on IPA client was unable to add membership of your user to > any of these groups: > > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [get_groups_dns] (0x0400): Root domain uses fully-qualified names, > objects might not be correctly added to groups with short names. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [get_groups_dns] (0x0400): Root domain uses fully-qualified names, > objects might not be correctly added to groups with short names. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [ipa_s2n_save_objects] (0x2000): Updating memberships for > a.cri.dsullivan at bsdad.uchicago.edu > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_sms_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_cvs_repository at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-active_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaa-bard04 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_developers at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa$ > dma at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=a.cri.dsullivan at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_teleform_admins_prod at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_isilon_share at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-galaxy_web_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-hpc_allusers at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-all_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaa-smaug03 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaa-azog04 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-kraig_nas at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-cri_server_administrators_ipa,cn=groups,cn=ipa.cri.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_git_repository at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_asap_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaa-treebeard03 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=domain > users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=bsd$ > a.acct at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=adm-dd-priv at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=psm-sms at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-all_groups at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaagroup at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-hpc_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_prodshop_loads at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-vandrogelen_nas at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-centrify_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_workflowgen_uat_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_psom_redmine_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-galaxy_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaa-dan_sullivan at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=aaa-gpo-admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-dssg_lab at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-backup_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-cri_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-aaa_teleform_admins_uat at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]] > [sysdb_update_members_ex] (0x0020): Could not add member > [a.cri.dsullivan at bsdad.uchicago.edu] to group > [name=cri-training at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb]. > Skipping. > > as result, the user is viewed by SSSD on this IPA client as not > belonging to the cri-cri_server_administrators at bsdad.uchicago.edu group > and thus, HBAC rule validation on this client fails. First, we have some debug messages in this part of sssd that can really use some improvement. That is, some debug messages are expected to report failures and we recover from them later. But in general Alexander is right. Does 'id a.cri.dsullivan at bsdad.uchicago.edu' report the user as a member of the group that should be allowing access? If not, I would suggest to run: 1) sss_cache -E on both server and client (don't remove the cache, please) 2) truncate the logs on server and client 3) run id a.cri.dsullivan at bsdad.uchicago.edu on the client then send us the logs from that single id run.. From sbose at redhat.com Wed Jul 13 08:20:00 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Jul 2016 10:20:00 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160713063744.GM24683@hendrix> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> Message-ID: <20160713082000.GH25874@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Jul 13, 2016 at 08:37:44AM +0200, Jakub Hrozek wrote: > On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote: > > On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: > > > Justin, > > > > > > I really appreciate you taking the time to respond to me. This problem > > > is driving me crazy and I will certainly take any help I can get. My > > > suspicion is that the external user group in the policy below was > > > causing the log entry you specified, removing it from the policy does > > > not remediate the problem, even after flushing the client cache. > > > > > > The way I have this setup is as follows: > > > > > > 1) I created a POSIX group in IPA named > > > 'cri-cri_server_administrators_ipa' and allowed IPA to assign the GID. > > > 2) I created an external group in IPA named > > > 'cri-cri_server_administrators_external? and added the AD group in the > > > trusted domain as an external member to this group > > > (cri-cri_server_administrators at bsdad.uchicago.edu). > > > 3) I added the group cri-cri_server_administrators_external' as a > > > member of 'cri-cri_server_administrators_ipa? > > > > > > The HBAC rule is configured as (removing the external group does not > > > seem to make a difference). > > > > > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > > > Rule name: cri-cri_server_administrators_allow_all > > > Host category: all > > > Service category: all > > > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine > > > Enabled: TRUE > > > User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa > > > [root at cri-ksysipadcp2 a.cri.dsullivan]# > > > > > > For example, the problem still persists when the policy is configured in this manner: > > > > > > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' > > > Rule name: cri-cri_server_administrators_allow_all > > > Host category: all > > > Service category: all > > > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine > > > Enabled: TRUE > > > User Groups: cri-cri_server_administrators_ipa > > > > > > And my login validates against the host in question as follows: > > > > > > As I said I have this working consistently (i.e. can flush the cash) on > > > another host with the same exact version of IPA and SSSD. Here is a > > > validation of hbactest (works with either of the two policy > > > configurations above). > > I think you problems are related to this snippet of your domain log > > where SSSD on IPA client was unable to add membership of your user to > > any of these groups: > > ... > > > > as result, the user is viewed by SSSD on this IPA client as not > > belonging to the cri-cri_server_administrators at bsdad.uchicago.edu group > > and thus, HBAC rule validation on this client fails. > > First, we have some debug messages in this part of sssd that can really > use some improvement. That is, some debug messages are expected to > report failures and we recover from them later. > > But in general Alexander is right. Does 'id > a.cri.dsullivan at bsdad.uchicago.edu' report the user as a member of the > group that should be allowing access? > > If not, I would suggest to run: > 1) sss_cache -E on both server and client (don't remove the cache, > please) > 2) truncate the logs on server and client > 3) run id a.cri.dsullivan at bsdad.uchicago.edu on the client > then send us the logs from that single id run.. If some of the IPA group memberships are missing you might hit https://bugzilla.redhat.com/show_bug.cgi?id=1304333 which is not fixed in the IPA version you use (ipa-4.2.0-15.el7_2.6.1). Mabye upgrading the server helps? bye, Sumit From simecek.tomas at gmail.com Wed Jul 13 09:18:21 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 13 Jul 2016 11:18:21 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? Message-ID: Dear freeIPA gurus, in previous thread ( https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you helped me make sudo working for AD users on Centos 7.0 ( spcss-2t-www.linuxdomain.cz). It was caused by not knowing sudo needs to be enabled in HBAC rules. Now it works properly on Centos 7.0 client. But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the same sssd.conf setup. Error message is always: [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf [sudo] password for simecek.tomas at sd-stc.cz: simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. This incident will be reported. Here are my HBAC rules, the second one should apply. It definitely applies for Centos 7.0 server: [root at svlxxipap ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: Unixari na test servery Enabled: TRUE User Groups: grpunixadmins Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz Services: login, sshd, sudo, sudo-i, su, su-l ---------------------------- Number of entries returned 2 ---------------------------- This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just with proper server name of course: [root at zp-cml-test sssd]# cat /etc/sssd/sssd.conf [domain/linuxdomain.cz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linuxdomain.cz id_provider = ipa krb5_realm = LINUXDOMAIN.CZ auth_provider = ipa access_provider = ipa ipa_hostname = zp-cml-test.linuxdomain.cz chpass_provider = ipa ipa_server = svlxxipap.linuxdomain.cz ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ldap ldap_uri = ldap://svlxxipap.linuxdomain.cz ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI #ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz ldap_sasl_realm = LINUXDOMAIN.CZ krb5_server = svlxxipap.linuxdomain.cz [sssd] services = nss, sudo, pam, ssh config_file_version = 2 debug_level = 0x3ff0 domains = linuxdomain.cz [nss] homedir_substring = /home [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] [ifp] This is output from sssd_sudo.log: (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifi at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifi at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifi at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=+*)))] (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1330300][18] It looks like it cannot get any rules from IPA server. Any idea why? It works fine on Centos 7.0 client. Thanks Tomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Jul 13 09:43:32 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Jul 2016 11:43:32 +0200 Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > +freeipa-users list > > From: pgb205 > To: Sumit Bose > Sent: Tuesday, July 12, 2016 2:12 PM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > Sumit, thanks for replying > So the first issue is my fault, probably from when I was sanitizing logs.? > our active directory domain is ad_domain.local, but users would expect to login as userid at ad_domain.com or just userid.for ipa the kerberos realm is IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > ewr-fipa_server used to be old trial server so I am not sure why it's still in the dns lookup results. I'll check this part further. > Lastly. only the connection to one of the domain controllers on AD side is open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, a connection to this single, accessible domain controller. Are there any other files where I would needto lock down the connections between ipa->ad so that all traffic goes to specific active directory domain controller? > thanks again for replying so quickly. Currently it is not possible to specify individual AD DC SSSD on the IPA server should talk to. We have ticket https://fedorahosted.org/sssd/ticket/2599 to make this possible in some later versions of SSSD. Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to get a list of AD DC, then picks one to get the next nearest site for the IPA domain and finally tries to lookup a DC from the matching site (if any). According to your logs SSSD was able to find 18 DCs with the SRV lookup. A call like dig SRV _ldap._tcp.ad_domain.local on the IPA server should return the same list of 18 DCs. As a work-around, or better a hack, you might want to try to set the IP address of all the 18 DC returned to the IP address of the only accessible DC in /etc/hosts. This way SSSD should have no chance to connect to a different DC. bye, Sumit > > From: Sumit Bose > To: pgb205 > Cc: Sumit Bose > Sent: Tuesday, July 12, 2016 5:37 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > Sumit,? > > sssd log files attached with debug=10 in all sections.I have attempted several logins for comparison as well as kinit commands > > I came across two issues in the logs. > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > FreeIPA cannot resolve those principals correctly. It was planned for > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > please try to work-around suggested at the end of > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > for "Cannot contact any KDC for requested realm". > > Second there are some issues access AD DCs via LDAP. SSSD tries to > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > both fails. It is not clear from the logs if already the DNS lookup for > those fails or if the connection itself runs into a timeout. In the > former case you should make sure that the names can be resolved in the > IPA server in the latter you can try to increase ldap_network_timeout > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > switches the AD domains to offline. The authentication request is > handled offline as well but since there are no cached credentials you > get the permission denied error. > > HTH > > bye, > Sumit > > > > >? ? ? From: Sumit Bose > >? To: pgb205 > > Cc: "Freeipa-users at redhat.com" > >? Sent: Monday, July 11, 2016 3:06 AM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > >? ? > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > I have successfully established trust and am able to obtain ticket granting ticketkinit user at AD_DOMAIN.COMI can also do kinit admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > > I have checked that there are no hbac rules other then the default allow_all rule > > > in sssd_ssh.log see > > > permission denied (6) error?in sssd_ipa.domain.log file I see > > > pam_handler_callback 6 permission_denied > > > in sssd_nss.log?Unable to get information from Data ProviderError: 3 Account info lookup failedWill try to return what we have in cache > > > in /var/log/secure?received for user user at AD_DOMAIN.COM: 6 (Permission denied)? > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > ----------Additionally, I would like to be able to login as user not user at AD_DOMAIN.COM > > > My understanding that only thing that I have to change to make this happen is /etc/krb5.conffor line? > > > [libdefaults]?default_realm=AD_DOMAN.COM?and then restarting ipa services. > > > > No, please do not change the default_realm. This is not related to the > > issues you are seeing. > > > > bye, > > Sumit > > > > > However, when I do this I get failure to restart Samba service > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > >? > > > > > > > From jhrozek at redhat.com Wed Jul 13 09:50:04 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 13 Jul 2016 11:50:04 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: Message-ID: <20160713095004.GB12285@hendrix> On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > Dear freeIPA gurus, > in previous thread ( > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you > helped me make sudo working for AD users on Centos 7.0 ( > spcss-2t-www.linuxdomain.cz). > It was caused by not knowing sudo needs to be enabled in HBAC rules. > Now it works properly on Centos 7.0 client. > But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the > same sssd.conf setup. > Error message is always: > > [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > [sudo] password for simecek.tomas at sd-stc.cz: > simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. This > incident will be reported. > > Here are my HBAC rules, the second one should apply. It definitely applies > for Centos 7.0 server: > [root at svlxxipap ~]# ipa hbacrule-find > -------------------- > 2 HBAC rules matched > -------------------- > Rule name: allow_all > User category: all > Host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: FALSE > > Rule name: Unixari na test servery > Enabled: TRUE > User Groups: grpunixadmins > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > Services: login, sshd, sudo, sudo-i, su, su-l > ---------------------------- > Number of entries returned 2 > ---------------------------- > > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just > with proper server name of course: > > [root at zp-cml-test sssd]# cat /etc/sssd/sssd.conf > [domain/linuxdomain.cz] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linuxdomain.cz > id_provider = ipa > krb5_realm = LINUXDOMAIN.CZ > auth_provider = ipa > access_provider = ipa > ipa_hostname = zp-cml-test.linuxdomain.cz > chpass_provider = ipa > ipa_server = svlxxipap.linuxdomain.cz > ldap_tls_cacert = /etc/ipa/ca.crt > override_shell = /bin/bash > sudo_provider = ldap > ldap_uri = ldap://svlxxipap.linuxdomain.cz > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > ldap_sasl_mech = GSSAPI > #ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ > ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > ldap_sasl_realm = LINUXDOMAIN.CZ > krb5_server = svlxxipap.linuxdomain.cz > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > debug_level = 0x3ff0 > domains = linuxdomain.cz > [nss] > homedir_substring = /home > > [pam] > [sudo] > debug_level = 0x3ff0 > [autofs] > [ssh] > [pac] > [ifp] > > This is output from sssd_sudo.log: > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [simecek.tomas at sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [simecek.tomas at sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifi at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About > to get sudo rules from cache > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [@sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > protocol version [1] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > sd-stc.cz', user is simecek.tomas > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [simecek.tomas at sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [simecek.tomas at sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifi at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About > to get sudo rules from cache > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifi at sd-stc.cz > )(sudoUser=%grpunixadmins)(sudoUser=+*)))] > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000): > Terminated client [0x1330300][18] When you look into the domain logs, do they show some rules being fetched? You can also install ldbsearch and then check what rules got stored in the cache: ldbsearch -H /var/lib/sss/db/cache_$domain.ldb From simecek.tomas at gmail.com Wed Jul 13 10:44:29 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 13 Jul 2016 12:44:29 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160713095004.GB12285@hendrix> References: <20160713095004.GB12285@hendrix> Message-ID: Diky Jakube, in domain log below I can see that rules were found properly: (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] It also matches the rule and says "Access granted": (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [1] groups for [simecek.tomas at sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.tomas at sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] It also mentiones SELinux, but I know it is disabled. Any idea what to check next please? Full part of the log follows: (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0100): Got request for [3][1][name=simecek.tomas] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 27305 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [988604700][988604700]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 601 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [27310] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [27310] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][SD-STC] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_get_forest] (0x0400): 4th component is not 'trust', nothing to do. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [27310]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [27310] finished successfully. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][3][45]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): TGT times are [1468404320][1468404320][1468440320][1468490720]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [988604700][988604700]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sss_krb5_check_ccache_princ] (0x2000): Searching for [ simecek.tomas at SD-STC.CZ] in cache of type [FILE] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0100): Got request for [3][1][name=simecek.tomas] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_subdom_acct_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 27305 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [simecek.tomas at sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz] to rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [1] groups for [simecek.tomas at sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.tomas at sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_selinux_send] (0x2000): Connection status is [online]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaMigrationEnabled] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaMigrationEnabled] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapDefault] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapOrder] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]. (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_done] (0x2000): Total count [0] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! Tomas Simecek 2016-07-13 11:50 GMT+02:00 Jakub Hrozek : > On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > > Dear freeIPA gurus, > > in previous thread ( > > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) > you > > helped me make sudo working for AD users on Centos 7.0 ( > > spcss-2t-www.linuxdomain.cz). > > It was caused by not knowing sudo needs to be enabled in HBAC rules. > > Now it works properly on Centos 7.0 client. > > But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the > > same sssd.conf setup. > > Error message is always: > > > > [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > > [sudo] password for simecek.tomas at sd-stc.cz: > > simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. This > > incident will be reported. > > > > Here are my HBAC rules, the second one should apply. It definitely > applies > > for Centos 7.0 server: > > [root at svlxxipap ~]# ipa hbacrule-find > > -------------------- > > 2 HBAC rules matched > > -------------------- > > Rule name: allow_all > > User category: all > > Host category: all > > Service category: all > > Description: Allow all users to access any host from any host > > Enabled: FALSE > > > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, > just > > with proper server name of course: > > > > [root at zp-cml-test sssd]# cat /etc/sssd/sssd.conf > > [domain/linuxdomain.cz] > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = linuxdomain.cz > > id_provider = ipa > > krb5_realm = LINUXDOMAIN.CZ > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = zp-cml-test.linuxdomain.cz > > chpass_provider = ipa > > ipa_server = svlxxipap.linuxdomain.cz > > ldap_tls_cacert = /etc/ipa/ca.crt > > override_shell = /bin/bash > > sudo_provider = ldap > > ldap_uri = ldap://svlxxipap.linuxdomain.cz > > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > > ldap_sasl_mech = GSSAPI > > #ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ > > ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > > ldap_sasl_realm = LINUXDOMAIN.CZ > > krb5_server = svlxxipap.linuxdomain.cz > > > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > debug_level = 0x3ff0 > > domains = linuxdomain.cz > > [nss] > > homedir_substring = /home > > > > [pam] > > [sudo] > > debug_level = 0x3ff0 > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > This is output from sssd_sudo.log: > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > > Client connected! > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Received client version [1]. > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > > Offered version [1]. > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > > protocol version [1] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [simecek.tomas at sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > > Returning info for user [simecek.tomas at sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > > Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=% > wifi at sd-stc.cz > > > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > > to get sudo rules from cache > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > > (0x0400): Returning 0 rules for [@sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > > protocol version [1] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > > sd-stc.cz', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [simecek.tomas at sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > > Returning info for user [simecek.tomas at sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > > Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=% > wifi at sd-stc.cz > > > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > > to get sudo rules from cache > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain > > users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > > mfcr_mfg at sd-stc.cz)(sudoUser=%account at sd-stc.cz)(sudoUser=% > wifi at sd-stc.cz > > )(sudoUser=%grpunixadmins)(sudoUser=+*)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > > (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] > > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): Client > > disconnected! > > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] (0x2000): > > Terminated client [0x1330300][18] > > When you look into the domain logs, do they show some rules being > fetched? > > You can also install ldbsearch and then check what rules got stored in > the cache: > ldbsearch -H /var/lib/sss/db/cache_$domain.ldb > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Jul 13 11:27:09 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 13 Jul 2016 13:27:09 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: Message-ID: <20160713112708.GB15067@10.4.128.1> On (13/07/16 11:18), Tomas Simecek wrote: >Dear freeIPA gurus, >in previous thread ( >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you >helped me make sudo working for AD users on Centos 7.0 ( >spcss-2t-www.linuxdomain.cz). >It was caused by not knowing sudo needs to be enabled in HBAC rules. >Now it works properly on Centos 7.0 client. >But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the >same sssd.conf setup. >Error message is always: > A) I would not recommend to use such obsolete distribution as CentOS 6.5 There is quite old version of sssd (1.9.x) which has some bugs which are solved in later versions. Better would be use the latest CentOS 6.8 or at least CentOS 6.7 B) Have you tried to follow instructions https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO Please provide any comments how we can improve troubleshooting wiki. LS From simecek.tomas at gmail.com Wed Jul 13 11:36:41 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 13 Jul 2016 13:36:41 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160713112708.GB15067@10.4.128.1> References: <20160713112708.GB15067@10.4.128.1> Message-ID: Lukas, yes, I went through that guide and I configured sssd.conf as per the doc (you can see it in the beginning of the thread). Actually the installation is: [root at zp-cml-test sssd]# cat /etc/redhat-release CentOS release 6.6 (Final) and versions are: [root at zp-cml-test sssd]# rpm -qa |grep sssd sssd-proxy-1.11.6-30.el6.x86_64 sssd-common-pac-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 sssd-1.11.6-30.el6.x86_64 sssd-common-1.11.6-30.el6.x86_64 sssd-ad-1.11.6-30.el6.x86_64 sssd-ldap-1.11.6-30.el6.x86_64 python-sssdconfig-1.11.6-30.el6.noarch sssd-krb5-common-1.11.6-30.el6.x86_64 sssd-krb5-1.11.6-30.el6.x86_64 sssd-client-1.11.6-30.el6.x86_64 There are some reasons why not to upgrade to later versions, believe me, I would do it if I could :-) T. 2016-07-13 13:27 GMT+02:00 Lukas Slebodnik : > On (13/07/16 11:18), Tomas Simecek wrote: > >Dear freeIPA gurus, > >in previous thread ( > >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) > you > >helped me make sudo working for AD users on Centos 7.0 ( > >spcss-2t-www.linuxdomain.cz). > >It was caused by not knowing sudo needs to be enabled in HBAC rules. > >Now it works properly on Centos 7.0 client. > >But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the > >same sssd.conf setup. > >Error message is always: > > > A) I would not recommend to use such obsolete distribution as CentOS 6.5 > There is quite old version of sssd (1.9.x) which has some bugs which > are solved in later versions. Better would be use the latest CentOS 6.8 > or at least CentOS 6.7 > > B) Have you tried to follow instructions > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > Please provide any comments how we can improve troubleshooting wiki. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Jul 13 11:44:09 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 13 Jul 2016 13:44:09 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713112708.GB15067@10.4.128.1> Message-ID: <20160713114408.GC15067@10.4.128.1> On (13/07/16 13:36), Tomas Simecek wrote: >Lukas, >yes, I went through that guide and I configured sssd.conf as per the doc >(you can see it in the beginning of the thread). > >Actually the installation is: >[root at zp-cml-test sssd]# cat /etc/redhat-release >CentOS release 6.6 (Final) > >and versions are: >[root at zp-cml-test sssd]# rpm -qa |grep sssd >sssd-proxy-1.11.6-30.el6.x86_64 >sssd-common-pac-1.11.6-30.el6.x86_64 >sssd-ipa-1.11.6-30.el6.x86_64 >sssd-1.11.6-30.el6.x86_64 >sssd-common-1.11.6-30.el6.x86_64 >sssd-ad-1.11.6-30.el6.x86_64 >sssd-ldap-1.11.6-30.el6.x86_64 >python-sssdconfig-1.11.6-30.el6.noarch >sssd-krb5-common-1.11.6-30.el6.x86_64 >sssd-krb5-1.11.6-30.el6.x86_64 >sssd-client-1.11.6-30.el6.x86_64 > 1.11 has sudo_provider=ipa @see instructions in man sssd-sudo how to configure it. It should avoid issues with two different providers (ipa and ldap) > >There are some reasons why not to upgrade to later versions, believe me, I >would do it if I could :-) > You can at least try to upgrade sssd from 6.8 if you do not want to upgrade whole OS. LS From simecek.tomas at gmail.com Wed Jul 13 12:25:48 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 13 Jul 2016 14:25:48 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160713114408.GC15067@10.4.128.1> References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> Message-ID: Thanks for your information Lukas, I have changed sudo_provider to ipa, restarted sssd and no difference. Logfile still says "Access granted by HBAC rule..." and sudo says simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. Btw. man sssd-sudo says: The following example shows how to configure SSSD to download sudo rules from an LDAP server. [sssd] config_file_version = 2 services = nss, pam, sudo domains = EXAMPLE [domain/EXAMPLE] id_provider = ldap so I am not that sure what should be set on my version of sssd. Any idea? Thanks T. 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : > On (13/07/16 13:36), Tomas Simecek wrote: > >Lukas, > >yes, I went through that guide and I configured sssd.conf as per the doc > >(you can see it in the beginning of the thread). > > > >Actually the installation is: > >[root at zp-cml-test sssd]# cat /etc/redhat-release > >CentOS release 6.6 (Final) > > > >and versions are: > >[root at zp-cml-test sssd]# rpm -qa |grep sssd > >sssd-proxy-1.11.6-30.el6.x86_64 > >sssd-common-pac-1.11.6-30.el6.x86_64 > >sssd-ipa-1.11.6-30.el6.x86_64 > >sssd-1.11.6-30.el6.x86_64 > >sssd-common-1.11.6-30.el6.x86_64 > >sssd-ad-1.11.6-30.el6.x86_64 > >sssd-ldap-1.11.6-30.el6.x86_64 > >python-sssdconfig-1.11.6-30.el6.noarch > >sssd-krb5-common-1.11.6-30.el6.x86_64 > >sssd-krb5-1.11.6-30.el6.x86_64 > >sssd-client-1.11.6-30.el6.x86_64 > > > 1.11 has sudo_provider=ipa > > @see instructions in man sssd-sudo how to configure it. > It should avoid issues with two different providers (ipa and ldap) > > > > >There are some reasons why not to upgrade to later versions, believe me, I > >would do it if I could :-) > > > You can at least try to upgrade sssd from 6.8 if you do not want > to upgrade whole OS. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ladner.danila at gmail.com Wed Jul 13 12:52:30 2016 From: ladner.danila at gmail.com (ladner.danila at gmail.com) Date: Wed, 13 Jul 2016 08:52:30 -0400 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> Message-ID: <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> Again what is client version on 6.5? Sent from my iPhone > On Jul 13, 2016, at 8:25 AM, Tomas Simecek wrote: > > Thanks for your information Lukas, > I have changed sudo_provider to ipa, restarted sssd and no difference. > Logfile still says "Access granted by HBAC rule..." and sudo says simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. > > Btw. man sssd-sudo says: > The following example shows how to configure SSSD to download > sudo rules from an LDAP server. > > [sssd] > config_file_version = 2 > services = nss, pam, sudo > domains = EXAMPLE > > [domain/EXAMPLE] > id_provider = ldap > > so I am not that sure what should be set on my version of sssd. > > Any idea? > > Thanks > > T. > > 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : >> On (13/07/16 13:36), Tomas Simecek wrote: >> >Lukas, >> >yes, I went through that guide and I configured sssd.conf as per the doc >> >(you can see it in the beginning of the thread). >> > >> >Actually the installation is: >> >[root at zp-cml-test sssd]# cat /etc/redhat-release >> >CentOS release 6.6 (Final) >> > >> >and versions are: >> >[root at zp-cml-test sssd]# rpm -qa |grep sssd >> >sssd-proxy-1.11.6-30.el6.x86_64 >> >sssd-common-pac-1.11.6-30.el6.x86_64 >> >sssd-ipa-1.11.6-30.el6.x86_64 >> >sssd-1.11.6-30.el6.x86_64 >> >sssd-common-1.11.6-30.el6.x86_64 >> >sssd-ad-1.11.6-30.el6.x86_64 >> >sssd-ldap-1.11.6-30.el6.x86_64 >> >python-sssdconfig-1.11.6-30.el6.noarch >> >sssd-krb5-common-1.11.6-30.el6.x86_64 >> >sssd-krb5-1.11.6-30.el6.x86_64 >> >sssd-client-1.11.6-30.el6.x86_64 >> > >> 1.11 has sudo_provider=ipa >> >> @see instructions in man sssd-sudo how to configure it. >> It should avoid issues with two different providers (ipa and ldap) >> >> > >> >There are some reasons why not to upgrade to later versions, believe me, I >> >would do it if I could :-) >> > >> You can at least try to upgrade sssd from 6.8 if you do not want >> to upgrade whole OS. >> >> LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Wed Jul 13 13:02:56 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 13 Jul 2016 15:02:56 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> Message-ID: Hi, versions are: sssd-client-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 ipa-client-3.0.0-50.el6.centos.1.x86_64 as part of: CentOS release 6.6 (Final) T. 2016-07-13 14:52 GMT+02:00 : > Again what is client version on 6.5? > > > Sent from my iPhone > > On Jul 13, 2016, at 8:25 AM, Tomas Simecek > wrote: > > Thanks for your information Lukas, > I have changed sudo_provider to ipa, restarted sssd and no difference. > Logfile still says "Access granted by HBAC rule..." and sudo says > simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. > > Btw. man sssd-sudo says: > The following example shows how to configure SSSD to download > sudo rules from an LDAP server. > > [sssd] > config_file_version = 2 > services = nss, pam, sudo > domains = EXAMPLE > > [domain/EXAMPLE] > id_provider = ldap > > so I am not that sure what should be set on my version of sssd. > > Any idea? > > Thanks > > T. > > 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : > >> On (13/07/16 13:36), Tomas Simecek wrote: >> >Lukas, >> >yes, I went through that guide and I configured sssd.conf as per the doc >> >(you can see it in the beginning of the thread). >> > >> >Actually the installation is: >> >[root at zp-cml-test sssd]# cat /etc/redhat-release >> >CentOS release 6.6 (Final) >> > >> >and versions are: >> >[root at zp-cml-test sssd]# rpm -qa |grep sssd >> >sssd-proxy-1.11.6-30.el6.x86_64 >> >sssd-common-pac-1.11.6-30.el6.x86_64 >> >sssd-ipa-1.11.6-30.el6.x86_64 >> >sssd-1.11.6-30.el6.x86_64 >> >sssd-common-1.11.6-30.el6.x86_64 >> >sssd-ad-1.11.6-30.el6.x86_64 >> >sssd-ldap-1.11.6-30.el6.x86_64 >> >python-sssdconfig-1.11.6-30.el6.noarch >> >sssd-krb5-common-1.11.6-30.el6.x86_64 >> >sssd-krb5-1.11.6-30.el6.x86_64 >> >sssd-client-1.11.6-30.el6.x86_64 >> > >> 1.11 has sudo_provider=ipa >> >> @see instructions in man sssd-sudo how to configure it. >> It should avoid issues with two different providers (ipa and ldap) >> >> > >> >There are some reasons why not to upgrade to later versions, believe me, >> I >> >would do it if I could :-) >> > >> You can at least try to upgrade sssd from 6.8 if you do not want >> to upgrade whole OS. >> >> LS >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ladner.danila at gmail.com Wed Jul 13 13:39:33 2016 From: ladner.danila at gmail.com (ladner.danila at gmail.com) Date: Wed, 13 Jul 2016 09:39:33 -0400 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> Message-ID: <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did not work under 1.11 Sent from my iPhone > On Jul 13, 2016, at 9:02 AM, Tomas Simecek wrote: > > Hi, > versions are: > sssd-client-1.11.6-30.el6.x86_64 > sssd-ipa-1.11.6-30.el6.x86_64 > ipa-client-3.0.0-50.el6.centos.1.x86_64 > as part of: > CentOS release 6.6 (Final) > > T. > > 2016-07-13 14:52 GMT+02:00 : >> Again what is client version on 6.5? >> >> >> Sent from my iPhone >> >>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek wrote: >>> >>> Thanks for your information Lukas, >>> I have changed sudo_provider to ipa, restarted sssd and no difference. >>> Logfile still says "Access granted by HBAC rule..." and sudo says simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. >>> >>> Btw. man sssd-sudo says: >>> The following example shows how to configure SSSD to download >>> sudo rules from an LDAP server. >>> >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam, sudo >>> domains = EXAMPLE >>> >>> [domain/EXAMPLE] >>> id_provider = ldap >>> >>> so I am not that sure what should be set on my version of sssd. >>> >>> Any idea? >>> >>> Thanks >>> >>> T. >>> >>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : >>>> On (13/07/16 13:36), Tomas Simecek wrote: >>>> >Lukas, >>>> >yes, I went through that guide and I configured sssd.conf as per the doc >>>> >(you can see it in the beginning of the thread). >>>> > >>>> >Actually the installation is: >>>> >[root at zp-cml-test sssd]# cat /etc/redhat-release >>>> >CentOS release 6.6 (Final) >>>> > >>>> >and versions are: >>>> >[root at zp-cml-test sssd]# rpm -qa |grep sssd >>>> >sssd-proxy-1.11.6-30.el6.x86_64 >>>> >sssd-common-pac-1.11.6-30.el6.x86_64 >>>> >sssd-ipa-1.11.6-30.el6.x86_64 >>>> >sssd-1.11.6-30.el6.x86_64 >>>> >sssd-common-1.11.6-30.el6.x86_64 >>>> >sssd-ad-1.11.6-30.el6.x86_64 >>>> >sssd-ldap-1.11.6-30.el6.x86_64 >>>> >python-sssdconfig-1.11.6-30.el6.noarch >>>> >sssd-krb5-common-1.11.6-30.el6.x86_64 >>>> >sssd-krb5-1.11.6-30.el6.x86_64 >>>> >sssd-client-1.11.6-30.el6.x86_64 >>>> > >>>> 1.11 has sudo_provider=ipa >>>> >>>> @see instructions in man sssd-sudo how to configure it. >>>> It should avoid issues with two different providers (ipa and ldap) >>>> >>>> > >>>> >There are some reasons why not to upgrade to later versions, believe me, I >>>> >would do it if I could :-) >>>> > >>>> You can at least try to upgrade sssd from 6.8 if you do not want >>>> to upgrade whole OS. >>>> >>>> LS >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Wed Jul 13 13:56:17 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Wed, 13 Jul 2016 15:56:17 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> Message-ID: Thanks, I will try. But I am afraid to update to more recent version then those in official repos. Thanks anyway. T. 2016-07-13 15:39 GMT+02:00 : > Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa > provider did not work under 1.11 > > Sent from my iPhone > > On Jul 13, 2016, at 9:02 AM, Tomas Simecek > wrote: > > Hi, > versions are: > sssd-client-1.11.6-30.el6.x86_64 > sssd-ipa-1.11.6-30.el6.x86_64 > ipa-client-3.0.0-50.el6.centos.1.x86_64 > as part of: > CentOS release 6.6 (Final) > > T. > > 2016-07-13 14:52 GMT+02:00 : > >> Again what is client version on 6.5? >> >> >> Sent from my iPhone >> >> On Jul 13, 2016, at 8:25 AM, Tomas Simecek >> wrote: >> >> Thanks for your information Lukas, >> I have changed sudo_provider to ipa, restarted sssd and no difference. >> Logfile still says "Access granted by HBAC rule..." and sudo says >> simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. >> >> Btw. man sssd-sudo says: >> The following example shows how to configure SSSD to download >> sudo rules from an LDAP server. >> >> [sssd] >> config_file_version = 2 >> services = nss, pam, sudo >> domains = EXAMPLE >> >> [domain/EXAMPLE] >> id_provider = ldap >> >> so I am not that sure what should be set on my version of sssd. >> >> Any idea? >> >> Thanks >> >> T. >> >> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : >> >>> On (13/07/16 13:36), Tomas Simecek wrote: >>> >Lukas, >>> >yes, I went through that guide and I configured sssd.conf as per the doc >>> >(you can see it in the beginning of the thread). >>> > >>> >Actually the installation is: >>> >[root at zp-cml-test sssd]# cat /etc/redhat-release >>> >CentOS release 6.6 (Final) >>> > >>> >and versions are: >>> >[root at zp-cml-test sssd]# rpm -qa |grep sssd >>> >sssd-proxy-1.11.6-30.el6.x86_64 >>> >sssd-common-pac-1.11.6-30.el6.x86_64 >>> >sssd-ipa-1.11.6-30.el6.x86_64 >>> >sssd-1.11.6-30.el6.x86_64 >>> >sssd-common-1.11.6-30.el6.x86_64 >>> >sssd-ad-1.11.6-30.el6.x86_64 >>> >sssd-ldap-1.11.6-30.el6.x86_64 >>> >python-sssdconfig-1.11.6-30.el6.noarch >>> >sssd-krb5-common-1.11.6-30.el6.x86_64 >>> >sssd-krb5-1.11.6-30.el6.x86_64 >>> >sssd-client-1.11.6-30.el6.x86_64 >>> > >>> 1.11 has sudo_provider=ipa >>> >>> @see instructions in man sssd-sudo how to configure it. >>> It should avoid issues with two different providers (ipa and ldap) >>> >>> > >>> >There are some reasons why not to upgrade to later versions, believe >>> me, I >>> >would do it if I could :-) >>> > >>> You can at least try to upgrade sssd from 6.8 if you do not want >>> to upgrade whole OS. >>> >>> LS >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jstephen at redhat.com Wed Jul 13 14:24:15 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Wed, 13 Jul 2016 10:24:15 -0400 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713095004.GB12285@hendrix> Message-ID: <4a5e608c-3c09-4e2c-9c79-97dd8808c5b5@redhat.com> /Diky Jakube,// / /in domain log below I can see that rules were found properly:// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery]// //(Wed Jul 13 12:05:21 2016) [sssd[be[//linuxdomain.cz //]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery]// / /On 07/13/2016 06:44 AM, Tomas Simecek wrote: / These logs are related to HBAC rules, not sudo rule retrieval from IPA. In the domain log you want to look for log messages similar to: [sdap_sudo_refresh_load_done] (0x0400): Received $num-rules rules [sssd[be[LDAP.PB]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule $rule-name** [sdap_sudo_refresh_load_done] (0x0400): Sudoers is successfuly stored in cache You can check if the expected sudo rule is stored in the sssd cache file with the following command: # ldbsearch -H /var/lib/sss/db/cache_.ldb objectclass=sudorule If it is not there, then likely the problem is in the domain log because sssd is not retrieving the sudo rule from the IPA server correctly Kind regards, Justin Stephenson > Diky Jakube, > in domain log below I can see that rules were found properly: > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x1000): > Processing PAM services for rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [login] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sshd] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sudo] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sudo-i] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [su] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [su-l] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_thost_attrs_to_rule] (0x1000): > Processing target hosts for rule [Unixari na test servery] > > It also matches the rule and says "Access granted": > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x1000): > [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x2000): Added > host [zp-cml-test.linuxdomain.cz ] > to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x0400): > Processing source hosts for rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x2000): Source > hosts disabled, setting ALL > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): [1] > groups for [simecek.tomas at sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): Added > group [grpunixadmins] for user [simecek.tomas at sd-stc.cz > ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_evaluate_rules] (0x0080): Access > granted by HBAC rule [Unixari na test servery] > > It also mentiones SELinux, but I know it is disabled. > > Any idea what to check next please? > Full part of the log follows: > > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_account_info] (0x0100): Got request > for [3][1][name=simecek.tomas] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_get_subdom_acct_send] (0x0400): > Initgroups requests are not handled by the IPA provider but are > resolved by the responder directly from the cache. > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [acctinfo_callback] (0x0100): Request > processed. Returned 3,95,Account info lookup failed > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler] (0x0100): Got request with > the following data > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): command: > PAM_AUTHENTICATE > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): domain: > sd-stc.cz > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): user: > simecek.tomas at sd-stc.cz > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): service: sudo > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): ruser: > simecek.tomas at sd-stc.cz > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): rhost: > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): authtok type: 1 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): priv: 0 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): cli_pid: 27305 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [switch_creds] (0x0200): Switch user to > [988604700][988604700]. > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT > not found or expired. > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [switch_creds] (0x0200): Switch user to [0][0]. > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_send] (0x0100): Trying > to resolve service 'IPA' > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [get_port_status] (0x1000): Port status of > port 0 for server 'svlxxipap.linuxdomain.cz > ' is 'working' > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [fo_resolve_service_activate_timeout] > (0x2000): Resolve timeout set to 6 seconds > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [get_server_status] (0x1000): Status of > server 'svlxxipap.linuxdomain.cz ' is > 'working' > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x1000): > Saving the first resolved server > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_resolve_server_process] (0x0200): Found > address for server svlxxipap.linuxdomain.cz > : [10.1.123.103] TTL 601 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_resolve_callback] (0x0400): > Constructed uri 'ldap://svlxxipap.linuxdomain.cz > ' > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Setting up > signal handler up for pid [27310] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [child_handler_setup] (0x2000): Signal > handler set up for pid [27310] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [write_pipe_handler] (0x0400): All data has > been sent! > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_subdomains] (0x0400): Got get > subdomains [forced][SD-STC] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaBaseID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaBaseRID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSecondaryBaseRID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaIDRangeSize] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTTrustedDomainSID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaRangeType] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 21 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseRID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaSecondaryBaseRID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaIDRangeSize] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaRangeType] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaBaseRID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaIDRangeSize] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTTrustedDomainSID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaRangeType] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1f060], ldap[0x1f03170] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTFlatName] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTTrustedDomainSID] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 22 > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] > (Wed Jul 13 12:05:20 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTFlatName] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTTrustedDomainSID] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f123f0], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_subdom_get_forest] (0x0400): 4th > component is not 'trust', nothing to do. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTFlatName] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTSecurityIdentifier] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 23 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTFlatName] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaNTSecurityIdentifier] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f60480], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [get_subdomains_callback] (0x0400): Backend > returned: (0, 0, ) [Success] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x1000): Waiting for > child [27310]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [child_sig_handler] (0x0100): child [27310] > finished successfully. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [read_pipe_handler] (0x0400): EOF received, > client finished > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][3][45]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][-1073741822][24]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][-1073741823][32]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): TGT > times are [1468404320][1468404320][1468440320][1468490720]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [parse_krb5_child_response] (0x1000): child > response [0][6][8]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0100): Marking port > 0 of server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [set_server_common_status] (0x0100): > Marking server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [fo_set_port_status] (0x0400): Marking port > 0 of duplicate server 'svlxxipap.linuxdomain.cz > ' as 'working' > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [switch_creds] (0x0200): Switch user to > [988604700][988604700]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sss_krb5_check_ccache_princ] (0x2000): > Searching for [simecek.tomas at SD-STC.CZ > ] in cache of type [FILE] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [switch_creds] (0x0200): Switch user to [0][0]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [safe_remove_old_ccache_file] (0x0400): New > and old ccache file are the same, none will be deleted. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 0, ) [Success] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [0][sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent > result [0][sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_get_account_info] (0x0100): Got request > for [3][1][name=simecek.tomas] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_get_subdom_acct_send] (0x0400): > Initgroups requests are not handled by the IPA provider but are > resolved by the responder directly from the cache. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [acctinfo_callback] (0x0100): Request > processed. Returned 3,95,Account info lookup failed > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_req_set_domain] (0x0400): Changing > request domain from [linuxdomain.cz ] to > [sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler] (0x0100): Got request with > the following data > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): command: > PAM_ACCT_MGMT > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): domain: > sd-stc.cz > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): user: > simecek.tomas at sd-stc.cz > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): service: sudo > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): tty: /dev/pts/0 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): ruser: > simecek.tomas at sd-stc.cz > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): rhost: > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): authtok type: 0 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): priv: 0 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [pam_print_data] (0x0100): cli_pid: 27305 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_access_send] (0x0400): Performing > access check for user [simecek.tomas at sd-stc.cz > ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_account_expired_rhds] (0x0400): > Performing RHDS access check for user [simecek.tomas at sd-stc.cz > ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz > ))][cn=accounts,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [fqdn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [serverHostname] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSshPubKey] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 24 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectClass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [fqdn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [serverHostname] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaSshPubKey] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaUniqueID] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x2000): Total > count [0] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_has_deref_support] (0x0400): The > server supports deref method OpenLDAP > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_deref_search_send] (0x2000): Server > supports OpenLDAP deref > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_search_send] (0x0400): > Dereferencing entry [fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > using OpenLDAP deref > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with [no > filter][fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 25 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_parse_entry] (0x0400): Got > deref control > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_deref] (0x1000): Dereferenced > DN: > ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_deref] (0x1000): Dereferenced > DN: > ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_x_deref_parse_entry] (0x0400): All > deref results from a single control parsed > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f39290], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x2000): Total > count [0] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hostgroup_info_done] (0x0200): No host > groups were dereferenced > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_service_info_next] (0x0400): > Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [member] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 26 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x2000): Total > count [0] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_servicegroup_info_next] (0x0400): > Sending request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [member] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 27 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [member] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [member] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f1fc00], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x2000): Total > count [0] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_rule_info_next] (0x0400): Sending > request for next search base: > [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=zp-cml-test.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaenabledflag] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [accessRuleType] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberUser] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userCategory] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberService] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [serviceCategory] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [sourceHost] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [sourceHostCategory] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [externalHost] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberHost] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [hostCategory] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 28 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [objectclass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipauniqueid] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaenabledflag] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [accessRuleType] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberUser] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberService] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [memberHost] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x2000): Total > count [0] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_attrs_to_rule] (0x1000): Processing > rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x1000): > Processing users for rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): Search users > with filter: > (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_users] (0x2000): No such entry > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sysdb_search_groups] (0x2000): Search > groups with filter: > (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_user_attrs_to_rule] (0x2000): Added > POSIX group [grpunixadmins] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x1000): > Processing PAM services for rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [login] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sshd] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sudo] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [sudo-i] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [su] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_service_attrs_to_rule] (0x2000): > Added service [su-l] to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_thost_attrs_to_rule] (0x1000): > Processing target hosts for rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x1000): > [fqdn=spcss-2t-www.linuxdomain.cz > ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] > does not map to either a host or hostgroup. Skipping > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_host_attrs_to_rule] (0x2000): Added > host [zp-cml-test.linuxdomain.cz ] > to rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x0400): > Processing source hosts for rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_shost_attrs_to_rule] (0x2000): Source > hosts disabled, setting ALL > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): [1] > groups for [simecek.tomas at sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [hbac_eval_user_element] (0x1000): Added > group [grpunixadmins] for user [simecek.tomas at sd-stc.cz > ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_hbac_evaluate_rules] (0x0080): Access > granted by HBAC rule [Unixari na test servery] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 0, ) [Success] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_get_selinux_send] (0x0400): Retrieving > SELinux user mapping > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_get_selinux_send] (0x2000): Connection > status is [online]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaMigrationEnabled] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSELinuxUserMapDefault] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSELinuxUserMapOrder] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 29 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaMigrationEnabled] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaSELinuxUserMapDefault] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_parse_range] (0x2000): No > sub-attributes for [ipaSELinuxUserMapOrder] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1ee6830], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_selinux_get_maps_next] (0x0400): > Trying to fetch SELinux maps with following parameters: > [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x0400): > calling ldap_search_ext with > [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]. > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberUser] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberHost] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [seeAlso] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSELinuxUser] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaEnabledFlag] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userCategory] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [hostCategory] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 30 > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[0x1f0d0b0], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x0400): > Search result: Success(0), no errmsg set > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_get_generic_ext_done] (0x2000): Total > count [0] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [ipa_selinux_get_maps_done] (0x0400): No > SELinux user maps found! > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Backend > returned: (0, 0, Success) [Success] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sending > result [0][sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [be_pam_handler_callback] (0x0100): Sent > result [0][sd-stc.cz ] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170] > (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz > ]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > > Tomas Simecek > > 2016-07-13 11:50 GMT+02:00 Jakub Hrozek >: > > On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > > Dear freeIPA gurus, > > in previous thread ( > > > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) > you > > helped me make sudo working for AD users on Centos 7.0 ( > > spcss-2t-www.linuxdomain.cz ). > > It was caused by not knowing sudo needs to be enabled in HBAC rules. > > Now it works properly on Centos 7.0 client. > > But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz > ) with the > > same sssd.conf setup. > > Error message is always: > > > > [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > > [sudo] password for simecek.tomas at sd-stc.cz > : > > simecek.tomas at sd-stc.cz is not > allowed to run sudo on zp-cml-test. This > > incident will be reported. > > > > Here are my HBAC rules, the second one should apply. It > definitely applies > > for Centos 7.0 server: > > [root at svlxxipap ~]# ipa hbacrule-find > > -------------------- > > 2 HBAC rules matched > > -------------------- > > Rule name: allow_all > > User category: all > > Host category: all > > Service category: all > > Description: Allow all users to access any host from any host > > Enabled: FALSE > > > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz > , zp-cml-test.linuxdomain.cz > > > Services: login, sshd, sudo, sudo-i, su, su-l > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 > server, just > > with proper server name of course: > > > > [root at zp-cml-test sssd]# cat /etc/sssd/sssd.conf > > [domain/linuxdomain.cz ] > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = linuxdomain.cz > > id_provider = ipa > > krb5_realm = LINUXDOMAIN.CZ > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = zp-cml-test.linuxdomain.cz > > > chpass_provider = ipa > > ipa_server = svlxxipap.linuxdomain.cz > > > ldap_tls_cacert = /etc/ipa/ca.crt > > override_shell = /bin/bash > > sudo_provider = ldap > > ldap_uri = ldap://svlxxipap.linuxdomain.cz > > > ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > > ldap_sasl_mech = GSSAPI > > #ldap_sasl_authid = > host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ > > > ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > > > ldap_sasl_realm = LINUXDOMAIN.CZ > > krb5_server = svlxxipap.linuxdomain.cz > > > > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > debug_level = 0x3ff0 > > domains = linuxdomain.cz > > [nss] > > homedir_substring = /home > > > > [pam] > > [sudo] > > debug_level = 0x3ff0 > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > This is output from sssd_sudo.log: > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] > (0x0400): > > Client connected! > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): > Using > > protocol version [1] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain ' > > sd-stc.cz ', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain ' > > sd-stc.cz ', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting default options for [simecek.tomas] from > [sd-stc.cz ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [simecek.tomas at sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > > Returning info for user [simecek.tomas at sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] > (0x0400): > > Retrieving default options for [simecek.tomas at sd-stc.cz > ] from [sd-stc.cz ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain > > users at sd-stc.cz > )(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=% > > mfcr_mfg at sd-stc.cz > )(sudoUser=%account at sd-stc.cz > )(sudoUser=%wifi at sd-stc.cz > > > > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] > (0x2000): About > > to get sudo rules from cache > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > > (0x0400): Returning 0 rules for [@sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): > Using > > protocol version [1] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain ' > > sd-stc.cz ', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains] > > (0x0200): name 'simecek.tomas at sd-stc.cz > ' matched expression for domain ' > > sd-stc.cz ', user is simecek.tomas > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_cmd_parse_query_done] > > (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > > Requesting info about [simecek.tomas at sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > > Returning info for user [simecek.tomas at sd-stc.cz > ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] > (0x0400): > > Retrieving rules for [simecek.tomas at sd-stc.cz > ] from [sd-stc.cz ] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > > simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain > > users at sd-stc.cz > )(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=% > > mfcr_mfg at sd-stc.cz > )(sudoUser=%account at sd-stc.cz > )(sudoUser=%wifi at sd-stc.cz > > > > )(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] > (0x2000): About > > to get sudo rules from cache > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > > (0x0400): No such entry > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > > (0x0200): Searching sysdb with > > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz > )(sudoUser=#988604700)(sudoUser=%domain > > users at sd-stc.cz > )(sudoUser=%unixadmins at sd-stc.cz > )(sudoUser=% > > mfcr_mfg at sd-stc.cz > )(sudoUser=%account at sd-stc.cz > )(sudoUser=%wifi at sd-stc.cz > > > )(sudoUser=%grpunixadmins)(sudoUser=+*)))] > > (Wed Jul 13 08:58:38 2016) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > > (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz > ] > > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_recv] (0x0200): > Client > > disconnected! > > (Wed Jul 13 08:58:42 2016) [sssd[sudo]] [client_destructor] > (0x2000): > > Terminated client [0x1330300][18] > > When you look into the domain logs, do they show some rules being > fetched? > > You can also install ldbsearch and then check what rules got stored in > the cache: > ldbsearch -H /var/lib/sss/db/cache_$domain.ldb > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ladner.danila at gmail.com Wed Jul 13 14:32:40 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Wed, 13 Jul 2016 10:32:40 -0400 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> Message-ID: Update to this one: It has been running smoothly on 6.5 [root at dev-zlei.sec1 ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root at dev-zlei.sec1 ~]# rpm -qa | grep sssd sssd-client-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 python-sssdconfig-1.12.4-47.el6.noarch sssd-common-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 On Wed, Jul 13, 2016 at 9:56 AM, Tomas Simecek wrote: > Thanks, > I will try. But I am afraid to update to more recent version then those in > official repos. > > Thanks anyway. > > T. > > 2016-07-13 15:39 GMT+02:00 : > >> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa >> provider did not work under 1.11 >> >> Sent from my iPhone >> >> On Jul 13, 2016, at 9:02 AM, Tomas Simecek >> wrote: >> >> Hi, >> versions are: >> sssd-client-1.11.6-30.el6.x86_64 >> sssd-ipa-1.11.6-30.el6.x86_64 >> ipa-client-3.0.0-50.el6.centos.1.x86_64 >> as part of: >> CentOS release 6.6 (Final) >> >> T. >> >> 2016-07-13 14:52 GMT+02:00 : >> >>> Again what is client version on 6.5? >>> >>> >>> Sent from my iPhone >>> >>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek >>> wrote: >>> >>> Thanks for your information Lukas, >>> I have changed sudo_provider to ipa, restarted sssd and no difference. >>> Logfile still says "Access granted by HBAC rule..." and sudo says >>> simecek.tomas at sd-stc.cz is not allowed to run sudo on zp-cml-test. >>> >>> Btw. man sssd-sudo says: >>> The following example shows how to configure SSSD to download >>> sudo rules from an LDAP server. >>> >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam, sudo >>> domains = EXAMPLE >>> >>> [domain/EXAMPLE] >>> id_provider = ldap >>> >>> so I am not that sure what should be set on my version of sssd. >>> >>> Any idea? >>> >>> Thanks >>> >>> T. >>> >>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik : >>> >>>> On (13/07/16 13:36), Tomas Simecek wrote: >>>> >Lukas, >>>> >yes, I went through that guide and I configured sssd.conf as per the >>>> doc >>>> >(you can see it in the beginning of the thread). >>>> > >>>> >Actually the installation is: >>>> >[root at zp-cml-test sssd]# cat /etc/redhat-release >>>> >CentOS release 6.6 (Final) >>>> > >>>> >and versions are: >>>> >[root at zp-cml-test sssd]# rpm -qa |grep sssd >>>> >sssd-proxy-1.11.6-30.el6.x86_64 >>>> >sssd-common-pac-1.11.6-30.el6.x86_64 >>>> >sssd-ipa-1.11.6-30.el6.x86_64 >>>> >sssd-1.11.6-30.el6.x86_64 >>>> >sssd-common-1.11.6-30.el6.x86_64 >>>> >sssd-ad-1.11.6-30.el6.x86_64 >>>> >sssd-ldap-1.11.6-30.el6.x86_64 >>>> >python-sssdconfig-1.11.6-30.el6.noarch >>>> >sssd-krb5-common-1.11.6-30.el6.x86_64 >>>> >sssd-krb5-1.11.6-30.el6.x86_64 >>>> >sssd-client-1.11.6-30.el6.x86_64 >>>> > >>>> 1.11 has sudo_provider=ipa >>>> >>>> @see instructions in man sssd-sudo how to configure it. >>>> It should avoid issues with two different providers (ipa and ldap) >>>> >>>> > >>>> >There are some reasons why not to upgrade to later versions, believe >>>> me, I >>>> >would do it if I could :-) >>>> > >>>> You can at least try to upgrade sssd from 6.8 if you do not want >>>> to upgrade whole OS. >>>> >>>> LS >>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 13 14:45:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jul 2016 10:45:51 -0400 Subject: [Freeipa-users] (DRAFT) HA mail services with FreeIPA, postfix, dovecot, amavisd-new, clamd and PLAIN/GSSAPI SSO In-Reply-To: <1632136.za3UAMGVFv@techz> References: <1632136.za3UAMGVFv@techz> Message-ID: <5786541F.4010400@redhat.com> G?nther J. Niederwimmer wrote: > Hello, > > some days ago I found this doc, now I like to setup a secure mail server but > the article is now missing? > > Can this come back? > > Thanks, > This is on the freeipa.org wiki which would have been nice to mention. It isn't exactly missing but the contents are gone. The author is the one who wiped it so there very well could be a good reason (like it doesn't work). From my reading of the history it looks like it changed April 12, not a few days ago. You can see the original page at http://www.freeipa.org/index.php?title=(DRAFT)_HA_mail_services_with_FreeIPA,_postfix,_dovecot,_amavisd-new,_clamd_and_PLAIN/GSSAPI_SSO&oldid=12296 rob From rcritten at redhat.com Wed Jul 13 15:11:21 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jul 2016 11:11:21 -0400 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding In-Reply-To: References: <57845C57.8000903@redhat.com> Message-ID: <57865A19.3060509@redhat.com> Harry Kashouli wrote: > I tried uncommenting everything in the ipa-rewrite.conf file, but it > still changed the web address. I'll try clearing the cache, in case that > was still remembering the links. > > I may be attacking my original thought badly, if this is going to be bad > for security. I'm wanting to allow users to change their passwords > remotely, so I figured giving them public access to the Web UI was the > way to go. Is there a better solution? Moving back to list. Getting the rewrite rules right can be tricky sometimes. You might have an easier time using a proxy instead. Exposing the UI increases the attack surface area so as usual it's a balance of security and convenience that you need to assess. A community portal was started last summer but has largely stalled. This is the long-term plan for what you're looking for. The design and a pointer to the current code is at https://www.freeipa.org/page/V4/Community_Portal rob > > -Harry > > On 11 July 2016 at 19:56, Rob Crittenden > wrote: > > Harry Kashouli wrote: > > Hi all, > > I have a freeipa server set up, and would like to access the Web UI > remotely (from outside my home network). > > I set up a fresh Fedora 24 server install, and installed > freeipa-server. > - I own a domain, domain.com > > - The hostname of my freeipa server is > hostname.subdomain.domain.com > > - My home network domain is subdomain.domain.com > > > > I set up a CNAME hostname.domain.com > and > port forwardings, and I tested this works with nginx on the same > machine; I can successfully see the nginx test page. > I then assumed I could do the same with the freeipa Web UI, but > when I > navigate to http://hostname.domain.com:, it > switches to > https://hostname.subdomain.domain.com:, and with the > following error: "Server not found" > > What am I doing wrong? > > > Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting > to the real name of the IPA server when it was installed. You can > try tweaking this to allow both names, or to just not do the rewriting. > > You may have issues with Kerberos and SSL due to using a different name. > > You definitely don't want to use IPA over an unsecure channel. > > rob > > From christophe.trefois at uni.lu Wed Jul 13 16:30:17 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Wed, 13 Jul 2016 16:30:17 +0000 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding In-Reply-To: <57865A19.3060509@redhat.com> References: <57845C57.8000903@redhat.com> <57865A19.3060509@redhat.com> Message-ID: <908BB43A-8C4E-4329-A928-116437C28ACC@uni.lu> Hi Rob, On that note, how do you handle password changes / first time logins for users that are external to the organization? We need to create accounts for external partners, and expose the UI to the outside so that people can login and change their passwords / add their SSH keys. However, I?m worried about security. Is there any recommendations there on how to do this? Is FreeIPA actually safe enough to do this? Kind regards, ? Christophe > On 13 Jul 2016, at 17:11, Rob Crittenden wrote: > > Harry Kashouli wrote: >> I tried uncommenting everything in the ipa-rewrite.conf file, but it >> still changed the web address. I'll try clearing the cache, in case that >> was still remembering the links. >> >> I may be attacking my original thought badly, if this is going to be bad >> for security. I'm wanting to allow users to change their passwords >> remotely, so I figured giving them public access to the Web UI was the >> way to go. Is there a better solution? > > Moving back to list. > > Getting the rewrite rules right can be tricky sometimes. You might have an easier time using a proxy instead. Exposing the UI increases the attack surface area so as usual it's a balance of security and convenience that you need to assess. > > A community portal was started last summer but has largely stalled. This is the long-term plan for what you're looking for. The design and a pointer to the current code is at https://www.freeipa.org/page/V4/Community_Portal > > rob > >> >> -Harry >> >> On 11 July 2016 at 19:56, Rob Crittenden > > wrote: >> >> Harry Kashouli wrote: >> >> Hi all, >> >> I have a freeipa server set up, and would like to access the Web UI >> remotely (from outside my home network). >> >> I set up a fresh Fedora 24 server install, and installed >> freeipa-server. >> - I own a domain, domain.com >> >> - The hostname of my freeipa server is >> hostname.subdomain.domain.com >> >> - My home network domain is subdomain.domain.com >> >> >> >> I set up a CNAME hostname.domain.com >> and >> port forwardings, and I tested this works with nginx on the same >> machine; I can successfully see the nginx test page. >> I then assumed I could do the same with the freeipa Web UI, but >> when I >> navigate to http://hostname.domain.com:, it >> switches to >> https://hostname.subdomain.domain.com:, and with the >> following error: "Server not found" >> >> What am I doing wrong? >> >> >> Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting >> to the real name of the IPA server when it was installed. You can >> try tweaking this to allow both names, or to just not do the rewriting. >> >> You may have issues with Kerberos and SSL due to using a different name. >> >> You definitely don't want to use IPA over an unsecure channel. >> >> rob >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From dsullivan2 at bsd.uchicago.edu Wed Jul 13 19:07:21 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Wed, 13 Jul 2016 19:07:21 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160713082000.GH25874@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <20160713082000.GH25874@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <1E1C6B4E-43F0-45EF-8254-C7C4C0D388ED@bsd.uchicago.edu> Sumit, Thank you for getting back to me I really appreciate you taking the time to help me assess this problem (I am not authorized to view this bug). In order to test I upgraded to ipa-server 4.2.0-15.el7_2.17 and flushed the cache on both the client and the server; the problem still presents itself. I?ve seen some threads around that seem related to what I am experiencing, i.e. https://www.redhat.com/archives/freeipa-users/2016-May/msg00354.html https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html Based on my reading I think that the version of the server I upgraded to would have fixed this problem, though (it did not). Dan Sullivan > On Jul 13, 2016, at 3:20 AM, Sumit Bose wrote: > > On Wed, Jul 13, 2016 at 08:37:44AM +0200, Jakub Hrozek wrote: >> On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote: >>> On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: >>>> Justin, >>>> >>>> I really appreciate you taking the time to respond to me. This problem >>>> is driving me crazy and I will certainly take any help I can get. My >>>> suspicion is that the external user group in the policy below was >>>> causing the log entry you specified, removing it from the policy does >>>> not remediate the problem, even after flushing the client cache. >>>> >>>> The way I have this setup is as follows: >>>> >>>> 1) I created a POSIX group in IPA named >>>> 'cri-cri_server_administrators_ipa' and allowed IPA to assign the GID. >>>> 2) I created an external group in IPA named >>>> 'cri-cri_server_administrators_external? and added the AD group in the >>>> trusted domain as an external member to this group >>>> (cri-cri_server_administrators at bsdad.uchicago.edu). >>>> 3) I added the group cri-cri_server_administrators_external' as a >>>> member of 'cri-cri_server_administrators_ipa? >>>> >>>> The HBAC rule is configured as (removing the external group does not >>>> seem to make a difference). >>>> >>>> [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' >>>> Rule name: cri-cri_server_administrators_allow_all >>>> Host category: all >>>> Service category: all >>>> Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine >>>> Enabled: TRUE >>>> User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa >>>> [root at cri-ksysipadcp2 a.cri.dsullivan]# >>>> >>>> For example, the problem still persists when the policy is configured in this manner: >>>> >>>> [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' >>>> Rule name: cri-cri_server_administrators_allow_all >>>> Host category: all >>>> Service category: all >>>> Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine >>>> Enabled: TRUE >>>> User Groups: cri-cri_server_administrators_ipa >>>> >>>> And my login validates against the host in question as follows: >>>> >>>> As I said I have this working consistently (i.e. can flush the cash) on >>>> another host with the same exact version of IPA and SSSD. Here is a >>>> validation of hbactest (works with either of the two policy >>>> configurations above). >>> I think you problems are related to this snippet of your domain log >>> where SSSD on IPA client was unable to add membership of your user to >>> any of these groups: >>> > > ... > >>> >>> as result, the user is viewed by SSSD on this IPA client as not >>> belonging to the cri-cri_server_administrators at bsdad.uchicago.edu group >>> and thus, HBAC rule validation on this client fails. >> >> First, we have some debug messages in this part of sssd that can really >> use some improvement. That is, some debug messages are expected to >> report failures and we recover from them later. >> >> But in general Alexander is right. Does 'id >> a.cri.dsullivan at bsdad.uchicago.edu' report the user as a member of the >> group that should be allowing access? >> >> If not, I would suggest to run: >> 1) sss_cache -E on both server and client (don't remove the cache, >> please) >> 2) truncate the logs on server and client >> 3) run id a.cri.dsullivan at bsdad.uchicago.edu on the client >> then send us the logs from that single id run.. > > If some of the IPA group memberships are missing you might hit > https://bugzilla.redhat.com/show_bug.cgi?id=1304333 which is not fixed > in the IPA version you use (ipa-4.2.0-15.el7_2.6.1). > > Mabye upgrading the server helps? > > bye, > Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Wed Jul 13 19:11:47 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Wed, 13 Jul 2016 19:11:47 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> Message-ID: Hi, Lachlan, Yes, I see that from here (https://www.redhat.com/archives/freeipa-users/2016-May/msg00322.html). Unfortunately clearing the cache and restarting SSSD is not proving to help us. I?d be interested to know any progress you make on this issue. Thank you for responding to me. Best, Dan Sullivan On Jul 12, 2016, at 8:04 PM, Lachlan Musicman > wrote: This is exactly the issue I'm seeing too, various differences, but the symptoms are the same. Main diff would be that sometimes stopping sssd, clearing cache and restarting sssd works, but only if individual AD domain members are added to the external group - not AD domain groups. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 13 July 2016 at 08:07, Sullivan, Daniel [AAA] > wrote: Justin, I really appreciate you taking the time to respond to me. This problem is driving me crazy and I will certainly take any help I can get. My suspicion is that the external user group in the policy below was causing the log entry you specified, removing it from the policy does not remediate the problem, even after flushing the client cache. The way I have this setup is as follows: 1) I created a POSIX group in IPA named 'cri-cri_server_administrators_ipa? and allowed IPA to assign the GID. 2) I created an external group in IPA named 'cri-cri_server_administrators_external? and added the AD group in the trusted domain as an external member to this group (cri-cri_server_administrators at bsdad.uchicago.edu>). 3) I added the group cri-cri_server_administrators_external as a member of 'cri-cri_server_administrators_ipa? The HBAC rule is configured as (removing the external group does not seem to make a difference). [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Rule name: cri-cri_server_administrators_allow_all Host category: all Service category: all Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu> to login to any machine Enabled: TRUE User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa [root at cri-ksysipadcp2 a.cri.dsullivan]# For example, the problem still persists when the policy is configured in this manner: [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Rule name: cri-cri_server_administrators_allow_all Host category: all Service category: all Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu> to login to any machine Enabled: TRUE User Groups: cri-cri_server_administrators_ipa And my login validates against the host in question as follows: As I said I have this working consistently (i.e. can flush the cash) on another host with the same exact version of IPA and SSSD. Here is a validation of hbactest (works with either of the two policy configurations above). [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbactest User name: a.cri.dsullivan at bsdad.uchicago.edu> Target host: cri-kcriwebgdp1.cri.uchicago.edu> Service: sshd -------------------- Access granted: True -------------------- Matched rules: cri-cri_server_administrators_allow_all Not matched rules: cri-hpc_server_administration Not matched rules: Gardner_cluster_login_no_ssh Not matched rules: s.cri.ipa-idprovisioner_domain_controllers [root at cri-ksysipadcp2 a.cri.dsullivan]# Thank you again for your response. Best, Dan On Jul 12, 2016, at 4:12 PM, Justin Stephenson >> wrote: Hello, I am assuming this is the AD trust user that is having the problem with HBAC, in my testing I was only allowed access when the HBAC rule is linked to the IDM POSIX AD trust group and not the external group used to retrieve AD trust users. I noticed the following in the logs which is why I mention this: (Tue Jul 12 13:30:12 2016) [sssd[be[ipa.cri.uchicago.edu>]]] [hbac_user_attrs_to_rule] (0x2000): Added non-POSIX group [cri-cri_server_administrators_external] to rule [cri-cri_server_administrators_allow_all] If this does not help, could you share with us more about the HBAC rule 'cri-cri_server_administrators_allow_all' and how it is configured? # ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Kind regards, Justin Stephenson On 07/12/2016 04:11 PM, Sullivan, Daniel [AAA] wrote: Hi, I am experiencing an HBAC issue that is proving to be very difficult to diagnose. It appears very closely related to the issue described in this thread (https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), except that clearing the cache does not fix the problem. I am further stumped by the fact that I have an additional machine that was deployed from an identical VMWare template image which IPA HBAC works correctly on. From a client perspective I am working with a fully updated version of RHEL 6.8 with ipa-client 3.0.0-50.el6.1 and sssd 1.13.3-22.el6. We have a domain with 2 IPA domain controllers (RHEL 7.2 and ipa-server 4.2.0-15.el7_2.6.1); I have since shut down one of the two domain controllers and cleared the cache (/var/lib/sssd/db/*) on both clients and restarted sssd (to isolate a potential replication problem between DCs); the HBAC rule validates correctly on the only remaining DC (basically an! any any rule). HBAC (the ability to login via sshd) continues to work on only one of the two clients. >From what I can tell, both clients have the same version of all ipa-client and sssd (and presumably related packages as both clients are fully updated). I have compared their /etc/sshd/sshd_config, /etc/sssd/sssd.conf and all configurations in /etc/pam.d and both systems appear consistent. I feel that it is worthwhile to mention that I believe that one of the two machines in question (the one that is not working) was bound as a CentrifyDC client. We are planning on replacing CentrifyDC with FreeIPA (for several reasons), so it is important that we are able to take an existing CentrifyDC client, unbind it, uninstall the CentrifyDC package(s), and install FreeIPA in its place. Regardless of whether CentrifyDC was previously installed, I feel that my somewhat thorough examination of /etc/sshd/sshd_config and the contents of /etc/pam.d would negate any potential residual configuration from Centrify that would cause this sort of problem. I have posted my domain log here: http://pastebin.com/41KeSnq4 It is also probably worthwhile to mention that I am authenticating as a user in a trusted domain, although I believe this should be apparent in the the pastebin. I am hoping that a subject matter expert in IPA and or SSSD would be able to help me further diagnose the access denied by HBAC entry that is present in the pastebin specified above. As I said, I have cleared /var/lib/sss/db/* and reinstalled IPA-client several times. I have also rebooted the system completely. Thank you for considering helping me; I appreciate your time and expertise. Best, Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Wed Jul 13 19:14:23 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Wed, 13 Jul 2016 19:14:23 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160713063744.GM24683@hendrix> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> Message-ID: <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> Jakub, Justin, Thank you both very much for taking the time to continue helping me resolve this issue. I apologize for not replying right away; I?ve been dealing with a production issue for most of the morning. An invocation of ?id a.cri.dsullivan at bsdad.uchicago.edu? on the IPA DC shows me as a member of the POSIX IPA group (cri_server_administrators_ipa at ipa.cri.uchicago.edu) as well as the AD domain group in the trusted domain (cri-aaa_server_administrators at bsdad.uchicago.edu). This remains consistent across any number of successful sshd logins into the DC using my a.cri.dsullivan at bsdad.uchicago.edu account, including after clearing the cache on the DC. On the client, I am seeing some unusual behavior. If I run the commands 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/* ; service sssd start? , then run ?id a.cri.dsullivan at bsdad.uchicago.edu?, I see the POSIX IPA group as well as the AD domain group as described above (what I presumably want and expect). However (and this is the unusual part), if I attempt to login via SSH (it will fail with HBAC validation), and then run the ?id a.cri.dsullivan at bsdad.uchicago.edu? command again , the POSIX IPA group disappears from the list of groups output by the id command. From what I can tell, this group will not reappear in the group list on the client until the client cache is cleared. Presumably this behavior is related to the HBAC authentication errors I am experiencing. I have cleared the cache on both the DC and the client using ssh_cache -E and this behavior is still exhibited. With respect to output from testing: 1) The sssd domain log from from the client of the initial id invocation (both groups appear) after clearing the cache (on the client) can be found here (this output contains both groups): https://gist.github.com/dsulli99/7117f8d567cc7cdf727d474b0aeab8da 2) The sssd domain log from the client for the failed sshd login (similar to the output I provided yesterday, however re-captured) can be found here (after this operation the IPA group disappears from the list of groups from the id command): https://gist.github.com/dsulli99/668a8799709ff0cd311b321206591124 3) The DC log (after the client cache is cleared) of my running the id invocation (from the client) can be found here (this is the DC side of 1) from above. https://gist.github.com/dsulli99/a2a5e80b6a8b143afa20024aa40a7b39 4) The DC log of the the failed sshd login into the client (this is the DC side of 2) from above is https://gist.github.com/dsulli99/4e3ba53c942ad78d7487ae51da92007e I really appreciate your help with looking at this issue. As I said I have another machine built from the same image that this is working fine on. I am going to keep plugging away at this, I will let you know if I come up with anything. Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From bob at jackland.demon.co.uk Wed Jul 13 19:56:26 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 13 Jul 2016 20:56:26 +0100 Subject: [Freeipa-users] named-pkcs11 fails to start on new replica Message-ID: Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; 51min ago Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 25910 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. Support and training for BIND 9 are Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at https://www.isc.org/support Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: ---------------------------------------------------- Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on open files from 4096 to 1048576 Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, using 1 worker thread Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP listener per interface Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service entered failed state. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. # /usr/sbin/named-pkcs11 -d 9 -g 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' 13-Jul-2016 19:31:01.283 ---------------------------------------------------- 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems Consortium, 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support 13-Jul-2016 19:31:01.284 ---------------------------------------------------- 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface 13-Jul-2016 19:31:01.284 using up to 4096 sockets 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed 13-Jul-2016 19:31:01.287 exiting (due to fatal error) # tail -2 /var/log Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): Could not load the object store I've tried "ipa-server-upgrade" and mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD ipa-dns-install But I haven't managed to fix it. Using "ipactl start -f" means the rest of the ipa services seem to work properly, but without named. Is there a way to fix the named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton -------------- next part -------------- An HTML attachment was scrubbed... URL: From kashmancy at gmail.com Wed Jul 13 22:02:47 2016 From: kashmancy at gmail.com (Harry Kashouli) Date: Wed, 13 Jul 2016 15:02:47 -0700 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding In-Reply-To: <57865A19.3060509@redhat.com> References: <57845C57.8000903@redhat.com> <57865A19.3060509@redhat.com> Message-ID: Thanks for all the info. I think I sorted out the rewrite rules now, and the error I get is "Secure Connection Failed. SSL_ERROR_UNRECOGNIZED_NAME_ALERT". I'm going to try and google this, since I'm assuming I need a ServerAlias somewhere. If someone knows the correct way, please let me know :) -Harry On 13 July 2016 at 08:11, Rob Crittenden wrote: > Harry Kashouli wrote: > >> I tried uncommenting everything in the ipa-rewrite.conf file, but it >> still changed the web address. I'll try clearing the cache, in case that >> was still remembering the links. >> >> I may be attacking my original thought badly, if this is going to be bad >> for security. I'm wanting to allow users to change their passwords >> remotely, so I figured giving them public access to the Web UI was the >> way to go. Is there a better solution? >> > > Moving back to list. > > Getting the rewrite rules right can be tricky sometimes. You might have an > easier time using a proxy instead. Exposing the UI increases the attack > surface area so as usual it's a balance of security and convenience that > you need to assess. > > A community portal was started last summer but has largely stalled. This > is the long-term plan for what you're looking for. The design and a pointer > to the current code is at https://www.freeipa.org/page/V4/Community_Portal > > rob > > >> -Harry >> >> On 11 July 2016 at 19:56, Rob Crittenden > > wrote: >> >> Harry Kashouli wrote: >> >> Hi all, >> >> I have a freeipa server set up, and would like to access the Web >> UI >> remotely (from outside my home network). >> >> I set up a fresh Fedora 24 server install, and installed >> freeipa-server. >> - I own a domain, domain.com >> >> - The hostname of my freeipa server is >> hostname.subdomain.domain.com < >> http://hostname.subdomain.domain.com> >> >> - My home network domain is subdomain.domain.com >> >> >> >> I set up a CNAME hostname.domain.com >> and >> port forwardings, and I tested this works with nginx on the same >> machine; I can successfully see the nginx test page. >> I then assumed I could do the same with the freeipa Web UI, but >> when I >> navigate to http://hostname.domain.com:, it >> switches to >> https://hostname.subdomain.domain.com:, and with >> the >> following error: "Server not found" >> >> What am I doing wrong? >> >> >> Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting >> to the real name of the IPA server when it was installed. You can >> try tweaking this to allow both names, or to just not do the >> rewriting. >> >> You may have issues with Kerberos and SSL due to using a different >> name. >> >> You definitely don't want to use IPA over an unsecure channel. >> >> rob >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Thu Jul 14 01:47:41 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 14 Jul 2016 11:47:41 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: Ok, I have some logs of sssd 1.13.0 not working. Same values as before: FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 Installed Packages Name : ipa-server Arch : x86_64 Version : 4.2.0 Release : 15.0.1.el7.centos.17 Size : 5.0 M Repo : installed >From repo : updates Summary : The IPA authentication server Successfully joined in one way trust to AD. Successfully have added hosts (Centos 7, sssd 1.13.0). [root at vmpr-linuxidm ~]# ipa hbacrule-find -------------------- 5 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE ... Rule name: ssh to galaxy Service category: all Description: Allows ssh to galaxy server Enabled: TRUE User Groups: ad_users Hosts: papr-res-galaxy.unix.petermac.org.au With allow_all HBAC rule enabled, can login every time with ssh user at ad_domain@unix_host If I implement a HBAC rule "ssh to galaxy" as per above, with: ad_users is a POSIX group with a GID. It has one member, the group ad_external an external group with a single, external, member pmc-res-ipausers at petermac.org.au which is an AD group containing all the users that should have access to the host. With allow_all disabled and "ssh to galaxy" enabled, some users can login and some can't. There is no discernable pattern that might explain why some are discriminated against. Here is the test from the server: [root at vmpr-linuxidm ~]# ipa hbactest --user=sandsjordan at petermac.org.au --host=papr-res-galaxy.unix.petermac.org.au --service=sshd -------------------- Access granted: True -------------------- Matched rules: ssh to galaxy Not matched rules: Computing Cluster Not matched rules: FACS Computing I've installed ipa-admintools on the host in question and got the same result. To be on the safe side/tick all boxes, I have cleared the cache on the host in question: systemctl stop sssd sss_cache -E systemctl start sssd and confirmed success with a status check. When the user tries to login, it fails. Log is here: http://dpaste.com/0VAFNPH The top is where the negotiating starts to the best of my knowledge. The attempts fails, with no information that is useful to me: 230 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'. 231 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [ssh to galaxy] 232 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [ssh to galaxy] 233 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [3] groups for [ SandsJordan at petermac.org.au] 234 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules 235 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) [Success (Permission denied)] 236 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [6][petermac.org.au] 237 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [6][petermac.org.au] Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 12 July 2016 at 09:08, Lachlan Musicman wrote: > Alex, Sumit, > > Which log levels would you recommend for sssd to help debug this issue? > > We've been using 7, but I just realised that it's not an increasing scale > but bitmasked... > > cheers > L. > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 11 July 2016 at 17:15, Sumit Bose wrote: > >> On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: >> > On 11 July 2016 at 16:44, Alexander Bokovoy >> wrote: >> > >> > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: >> > > >> > >> Hola, >> > >> >> > >> Centos 7, up to date. >> > >> >> > >> [root at linuxidm ~]# ipa --version >> > >> VERSION: 4.2.0, API_VERSION: 2.156 >> > >> >> > >> One way trust is successfully established, can login with >> > >> >> > >> ssh username at domain1.com@server1.domain2.com >> > >> >> > >> Am testing to get HBAC to work. >> > >> >> > >> I've noticed that with the Allow All rule in effect, the following >> set up >> > >> is sufficient: >> > >> >> > >> add external group "ad_external" >> > >> add internal group, "ad_internal", add ad_external as a group member >> of >> > >> ad_internal >> > >> >> > >> AD users can now successfully login to any server. >> > >> >> > >> When I tried to set up an HBAC, I couldn't get that set up to work, I >> > >> needed to complete the extra step of adding AD users explicitly to >> the >> > >> "external member" group of the external group. >> >> yes, this is expected you either have to add AD users or groups to the >> external groups. >> >> > >> >> > >> I also note that this seems to be explicitly user based, not group >> based? >> > >> IE, I can add lachlan at domain1.com to the external members of >> ad_external >> > >> and that works, but adding the group server_admins at domain1.com (as >> seen >> > >> in >> > >> `id lachlan at domain1.com`) doesn't allow all members access. >> >> Since it looks you are using FreeIPA 4.2 you might hit >> https://fedorahosted.org/freeipa/ticket/5573 . But SSSD logs, especially >> the part where the HBAC rules are evaluated would help to understand the >> issue better. >> >> > >> >> > >> Does that sound correct? >> > >> >> > > No, it does not. >> > > HBAC evaluation and external group merging/resolution is done by SSSD. >> > > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce >> logs >> > > that can help understanding what happens there. >> > > >> > > What SSSD version do you have on both IPA client and IPA server? >> > >> > >> > >> > 1.13.0 on both client and server. >> > >> > To be honest, we have ratcheted up the logs and it doesn't help that >> much. >> > We just got lots of "unsupported PAM command [249]" >> >> This is unrelated, I assume this happens when trying to store the hashed >> password to the cache. This message is remove in newer releases. >> >> bye, >> Sumit >> >> > >> > Cheers >> > L. >> >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Jul 14 04:46:20 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 14 Jul 2016 10:16:20 +0530 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: <5783A97F.5040406@redhat.com> References: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> <5783A97F.5040406@redhat.com> Message-ID: Tough luck! If its tricky for you (FreeIPA core developers) then its pretty much impossible to solve it for mere mortals like me ! On 11 July 2016 at 19:43, Rob Crittenden wrote: > Prashant Bapat wrote: > >> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 >> and compiled the ipa-pwd-extop slapi plugin. >> >> Now the user is denied bind. But unable to reset the password. >> > > Right, it's a tricky problem which is why it hasn't been resolved yet. You > have come full circle through the same steps we went through. > > rob > > >> >> On 8 July 2016 at 13:21, Martin Kosek > > wrote: >> >> On 07/07/2016 05:19 PM, Prashant Bapat wrote: >> > Anyone ?! >> > >> > On 6 July 2016 at 22:36, Prashant Bapat > >> > >> wrote: >> > >> > Hi, >> > >> > We are using FreeIPA's LDAP as the base for user authentication >> in a >> > different application. So far I have created a sysaccount which >> does the >> > lookup etc for a user and things are working as expected. I'm >> even able to >> > use OTP from the external app. >> > >> > One problem I'm struggling to fix is the expired passwords. Is >> there a way >> > to deny bind to LDAP only from this application? Obviously the >> user would >> > need to go to IPA's web UI and reset his password there. >> > >> > I came across this tickethttps:// >> fedorahosted.org/freeipa/ticket/1539 but >> > looks like this is an old one. >> > >> > Thanks. >> > --Prashant >> >> Hello Prashant, >> >> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right >> ticket, if >> you want users with expired passwords to be denied, but it was not >> implemented >> yet. Help welcome! >> >> As a workaround, I assume you could simply leverage Kerberos for >> authentication >> - it does respect expired passwords. We have advise on how to >> integrate that to >> external web applications here: >> >> http://www.freeipa.org/page/Web_App_Authentication >> >> Martin >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From BJB at jndata.dk Thu Jul 14 05:18:28 2016 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Thu, 14 Jul 2016 05:18:28 +0000 Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) In-Reply-To: References: Message-ID: <89213DDB84447F44A8E8950A5C2185E04825FACC@SJN01013.jnmain00.corp.jndata.net> Well, I just had the same problem, but in my case I also tried to install a ca: ?ipa-replica-install --setup-ca ?..? Without ?--set-up? the installation succeeded. Regards, Bjarne From: Devin Acosta [mailto:linuxguru.co at gmail.com] Sent: 12. juli 2016 21:35 To: freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) I am trying to add a 4th replica to my FreeIPA installation. I am running the latest CentOS 7.2 (full updates) and i have tried multiple times and fails every time in same location. When it fails I remove the replication agreements and try again and keeps failing in same location. [root at ipa03-aws centos]# ipa-replica-install replica-info-ipa03-aws.rsinc.local.gpg WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipa01-aws.rsinc.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at RSINC.LOCAL password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'ipa03-aws.rsinc.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [25/38]: updating schema [26/38]: setting Auto Member configuration [27/38]: enabling S4U2Proxy delegation [28/38]: importing CA certificates from LDAP [29/38]: initializing group membership [30/38]: adding master entry [31/38]: initializing domain level [32/38]: configuring Posix uid/gid generation [33/38]: adding replication acis [34/38]: enabling compatibility plugin [35/38]: activating sidgen plugin [36/38]: activating extdom plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica Please see attached file for the full log file. Any help would be appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Thu Jul 14 05:52:53 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 14 Jul 2016 07:52:53 +0200 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding In-Reply-To: References: Message-ID: <20160714055253.GA17625@redhat.com> On Mon, Jul 11, 2016 at 07:00:04PM -0700, Harry Kashouli wrote: > > I have a freeipa server set up, and would like to access the Web UI > remotely (from outside my home network). > > I set up a fresh Fedora 24 server install, and installed freeipa-server. > - I own a domain, domain.com > - The hostname of my freeipa server is hostname.subdomain.domain.com > - My home network domain is subdomain.domain.com > > I set up a CNAME hostname.domain.com and port forwardings, and I tested > this works with nginx on the same machine; I can successfully see the nginx > test page. > I then assumed I could do the same with the freeipa Web UI, but when I > navigate to http://hostname.domain.com:, it switches to > https://hostname.subdomain.domain.com:, and with the > following error: "Server not found" > > What am I doing wrong? There are some more config tweaks likely needed. Writeup https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name should help you resolve the issue. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From lslebodn at redhat.com Thu Jul 14 07:17:38 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 14 Jul 2016 09:17:38 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> Message-ID: <20160714071738.GA19244@10.4.128.1> On (13/07/16 10:32), Danila Ladner wrote: >Update to this one: >It has been running smoothly on 6.5 > >[root at dev-zlei.sec1 ~]# cat /etc/redhat-release >CentOS release 6.5 (Final) > >[root at dev-zlei.sec1 ~]# rpm -qa | grep sssd >sssd-client-1.12.4-47.el6.x86_64 >sssd-ldap-1.12.4-47.el6.x86_64 >sssd-ad-1.12.4-47.el6.x86_64 >python-sssdconfig-1.12.4-47.el6.noarch >sssd-common-1.12.4-47.el6.x86_64 >sssd-proxy-1.12.4-47.el6.x86_64 >sssd-common-pac-1.12.4-47.el6.x86_64 >sssd-krb5-1.12.4-47.el6.x86_64 >sssd-ipa-1.12.4-47.el6.x86_64 >sssd-krb5-common-1.12.4-47.el6.x86_64 >sssd-1.12.4-47.el6.x86_64 > +1 for latest sssd even on CentOS 6.5. If you have a problem with 1.12 (from 6.7) then we can look into log files. Because there is a still a chance that oyu just hit a bug in 1.11 which is solved in 1.12 If it will not work then please provide sssd.conf + log files with high debug_level sssd_sudo.log and sssd_$domain.log LS From mbabinsk at redhat.com Thu Jul 14 07:39:05 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 14 Jul 2016 09:39:05 +0200 Subject: [Freeipa-users] named-pkcs11 fails to start on new replica In-Reply-To: References: Message-ID: <2aa0dd5b-7f9b-0e14-92c4-4ee5ed616d32@redhat.com> On 07/13/2016 09:56 PM, Bob Hinton wrote: > Hi, > > We are trying to create a new replica on RHEL 7.2 > > This completes but named-pkcs11 fails to start - > > systemctl status named-pkcs11.service > ? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native > PKCS#11 > Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; > disabled; vendor preset: disabled) > Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; > 51min ago > Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS > (code=exited, status=1/FAILURE) > Process: 25910 ExecStartPre=/bin/bash -c if [ ! > "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z > /etc/named.conf; else echo "Checking of zone files is disabled"; fi > (code=exited, status=0/SUCCESS) > > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. > Support and training for BIND 9 are > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at > https://www.isc.org/support > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: > ---------------------------------------------------- > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on > open files from 4096 to 1048576 > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, > using 1 worker thread > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP > listener per interface > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: > control process exited, code=exited status=1 > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley > Internet Name Domain (DNS) with native PKCS#11. > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service > entered failed state. > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. > > # /usr/sbin/named-pkcs11 -d 9 -g > 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g > 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' > '--host=x86_64-redhat-linux-gnu' '--program-prefix=' > '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' > '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' > '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' > '--localstatedir=/var' '--enable-threads' '--enable-ipv6' > '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--enable-exportlib' > '--with-export-libdir=/usr/lib64' > '--with-export-includedir=/usr/include' > '--includedir=/usr/include/bind9' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' > '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' > '--disable-isc-spnego' '--enable-fixed-rrset' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong > --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' > 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' > 13-Jul-2016 19:31:01.283 > ---------------------------------------------------- > 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems > Consortium, > 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit > 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are > 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support > 13-Jul-2016 19:31:01.284 > ---------------------------------------------------- > 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 > 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread > 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface > 13-Jul-2016 19:31:01.284 using up to 4096 sockets > 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver > 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' > 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' > 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed > 13-Jul-2016 19:31:01.287 exiting (due to fatal error) > > # tail -2 /var/log > > Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: > ObjectStore.cpp(59): Failed to enumerate object store in > /var/lib/softhsm/tokens/ > > Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): > Could not load the object store > > I've tried "ipa-server-upgrade" and > > mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD > > ipa-dns-install > > But I haven't managed to fix it. > > Using "ipactl start -f" means the rest of the ipa services seem to work > properly, but without named. > > Is there a way to fix the named issue or is it much simpler to > disconnect the replica, uninstall it and start again ? > > Thanks > > Bob Hinton > > > Hi Bob, If your SElinux is in enforcing mode I would check for AVCs, maybe the token directory is mislabeled. You also may be hitting https://fedorahosted.org/freeipa/ticket/5520 , there is a workaround described in the ticket. -- Martin^3 Babinsky From sbose at redhat.com Thu Jul 14 07:44:59 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 14 Jul 2016 09:44:59 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > Installed Packages > Name : ipa-server > Arch : x86_64 > Version : 4.2.0 > Release : 15.0.1.el7.centos.17 > Size : 5.0 M > Repo : installed > >From repo : updates > Summary : The IPA authentication server > > > Successfully joined in one way trust to AD. > > Successfully have added hosts (Centos 7, sssd 1.13.0). > > > [root at vmpr-linuxidm ~]# ipa hbacrule-find > -------------------- > 5 HBAC rules matched > -------------------- > > Rule name: allow_all > User category: all > Host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: FALSE > > ... > > Rule name: ssh to galaxy > Service category: all > Description: Allows ssh to galaxy server > Enabled: TRUE > User Groups: ad_users > Hosts: papr-res-galaxy.unix.petermac.org.au > > > > > With allow_all HBAC rule enabled, can login every time with > > ssh user at ad_domain@unix_host > > If I implement a HBAC rule "ssh to galaxy" as per above, with: > > ad_users is a POSIX group with a GID. It has one member, the group > > ad_external an external group with a single, external, member > > pmc-res-ipausers at petermac.org.au > > which is an AD group containing all the users that should have access to > the host. > > > With allow_all disabled and "ssh to galaxy" enabled, some users can login > and some can't. There is no discernable pattern that might explain why some > are discriminated against. > > Here is the test from the server: > > [root at vmpr-linuxidm ~]# ipa hbactest --user=sandsjordan at petermac.org.au > --host=papr-res-galaxy.unix.petermac.org.au --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: ssh to galaxy > Not matched rules: Computing Cluster > Not matched rules: FACS Computing > > I've installed ipa-admintools on the host in question and got the same > result. > > To be on the safe side/tick all boxes, I have cleared the cache on the host > in question: > > systemctl stop sssd > sss_cache -E > systemctl start sssd > > and confirmed success with a status check. > > When the user tries to login, it fails. > > Log is here: > > http://dpaste.com/0VAFNPH > > > The top is where the negotiating starts to the best of my knowledge. > > The attempts fails, with no information that is useful to me: > > 230 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [hbac_get_category] (0x0200): Category is set to 'all'. > 231 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [ssh > to galaxy] > 232 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [ssh > to galaxy] > 233 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [hbac_eval_user_element] (0x1000): [3] groups for [ > SandsJordan at petermac.org.au] According to the HBAC evaluation the user is a member of 3 groups. Is this the expected number? Can you check if 'id SandsJordan at petermac.org.au' returns the expected list of groups on the client and the IPA server? (The client does not talk to AD directly only to the IPA server, so if something is already missing on the server it cannot be seen on the client as well). Can you send me the SSSD cache file from the client /var/lib/sss/db/cache_unix.petermac.org.au.ldb after the login attempt? Since it might contain password hashes you might want to remove lines with 'cachedPassword' before bye, Sumit > 234 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules > 235 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) > [Success (Permission denied)] > 236 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [be_pam_handler_callback] (0x0100): Sending result [6][petermac.org.au] > 237 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > [be_pam_handler_callback] (0x0100): Sent result [6][petermac.org.au] > > > Cheers > L. > > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 12 July 2016 at 09:08, Lachlan Musicman wrote: > > > Alex, Sumit, > > > > Which log levels would you recommend for sssd to help debug this issue? > > > > We've been using 7, but I just realised that it's not an increasing scale > > but bitmasked... > > > > cheers > > L. > > > > ------ > > The most dangerous phrase in the language is, "We've always done it this > > way." > > > > - Grace Hopper > > > > On 11 July 2016 at 17:15, Sumit Bose wrote: > > > >> On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > >> > On 11 July 2016 at 16:44, Alexander Bokovoy > >> wrote: > >> > > >> > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > >> > > > >> > >> Hola, > >> > >> > >> > >> Centos 7, up to date. > >> > >> > >> > >> [root at linuxidm ~]# ipa --version > >> > >> VERSION: 4.2.0, API_VERSION: 2.156 > >> > >> > >> > >> One way trust is successfully established, can login with > >> > >> > >> > >> ssh username at domain1.com@server1.domain2.com > >> > >> > >> > >> Am testing to get HBAC to work. > >> > >> > >> > >> I've noticed that with the Allow All rule in effect, the following > >> set up > >> > >> is sufficient: > >> > >> > >> > >> add external group "ad_external" > >> > >> add internal group, "ad_internal", add ad_external as a group member > >> of > >> > >> ad_internal > >> > >> > >> > >> AD users can now successfully login to any server. > >> > >> > >> > >> When I tried to set up an HBAC, I couldn't get that set up to work, I > >> > >> needed to complete the extra step of adding AD users explicitly to > >> the > >> > >> "external member" group of the external group. > >> > >> yes, this is expected you either have to add AD users or groups to the > >> external groups. > >> > >> > >> > >> > >> I also note that this seems to be explicitly user based, not group > >> based? > >> > >> IE, I can add lachlan at domain1.com to the external members of > >> ad_external > >> > >> and that works, but adding the group server_admins at domain1.com (as > >> seen > >> > >> in > >> > >> `id lachlan at domain1.com`) doesn't allow all members access. > >> > >> Since it looks you are using FreeIPA 4.2 you might hit > >> https://fedorahosted.org/freeipa/ticket/5573 . But SSSD logs, especially > >> the part where the HBAC rules are evaluated would help to understand the > >> issue better. > >> > >> > >> > >> > >> Does that sound correct? > >> > >> > >> > > No, it does not. > >> > > HBAC evaluation and external group merging/resolution is done by SSSD. > >> > > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce > >> logs > >> > > that can help understanding what happens there. > >> > > > >> > > What SSSD version do you have on both IPA client and IPA server? > >> > > >> > > >> > > >> > 1.13.0 on both client and server. > >> > > >> > To be honest, we have ratcheted up the logs and it doesn't help that > >> much. > >> > We just got lots of "unsupported PAM command [249]" > >> > >> This is unrelated, I assume this happens when trying to store the hashed > >> password to the cache. This message is remove in newer releases. > >> > >> bye, > >> Sumit > >> > >> > > >> > Cheers > >> > L. > >> > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project > >> > >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From simecek.tomas at gmail.com Thu Jul 14 08:09:04 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 10:09:04 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714071738.GA19244@10.4.128.1> References: <20160713112708.GB15067@10.4.128.1> <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> Message-ID: Thanks all of you guys, I have updated to: sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 sssd-1.13.3-22.el6_8.4.x86_64 sssd-ldap-1.13.3-22.el6_8.4.x86_64 sssd-client-1.13.3-22.el6_8.4.x86_64 sssd-ad-1.13.3-22.el6_8.4.x86_64 sssd-proxy-1.13.3-22.el6_8.4.x86_64 libsss_idmap-1.13.3-22.el6_8.4.x86_64 sssd-common-1.13.3-22.el6_8.4.x86_64 sssd-ipa-1.13.3-22.el6_8.4.x86_64 python-sssdconfig-1.13.3-22.el6_8.4.noarch sssd-krb5-1.13.3-22.el6_8.4.x86_64 sssd-common-pac-1.13.3-22.el6_8.4.x86_64 (there does not seem to be libsss_sudo in Centos as suggested by Danila). and restarted sssd. There are two rules enabled. One HBAC as I presented earlier: Rule name: Unixari na test servery Enabled: TRUE User Groups: grpunixadmins Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz Services: login, sshd, sudo, sudo-i, su, su-l and one sudo rule: Rule name: Pokusne Enabled: TRUE Command category: all User Groups: grpunixadmins Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz Default "all-access" rules are disabled. When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I still get: [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf [sudo] password for simecek.tomas at sd-stc.cz: simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will be reported. It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). sssd.conf: [domain/linuxdomain.cz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linuxdomain.cz id_provider = ipa krb5_realm = LINUXDOMAIN.CZ auth_provider = ipa access_provider = ipa ipa_hostname = zp-cml-test.linuxdomain.cz chpass_provider = ipa ipa_server = svlxxipap.linuxdomain.cz ldap_tls_cacert = /etc/ipa/ca.crt override_shell = /bin/bash sudo_provider = ipa ldap_uri = ldap://svlxxipap.linuxdomain.cz ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz ldap_sasl_mech = GSSAPI #ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz ldap_sasl_realm = LINUXDOMAIN.CZ krb5_server = svlxxipap.linuxdomain.cz debug_level = 0x3ff0 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linuxdomain.cz [nss] homedir_substring = /home [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] [ifp] sssd_sudo.log from the moment I tried sudo: (Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz )(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] (Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz )(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz )(sudoUser=+*)))] (Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x260b690][17] (Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz )(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' sd-stc.cz', user is simecek.tomas (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ 20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz )(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz )(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz )(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))] (Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Thu Jul 14 09:53:59 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x260b690][17] (Thu Jul 14 09:54:01 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service Relevant part of sssd_linuxdomain.cz.log: (I see only HBAC rule mentioned in the log, not the sudo rule, which is strange) (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=simecek.tomas] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=simecek.tomas))][cn=Default Trust View,cn=views,cn=accounts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 10 timeout 6 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7140b0], ldap[0x756770] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 10 finished (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 11 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 11 timeout 6 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7140b0], ldap[0x756770] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7140b0], ldap[0x756770] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 11 finished (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 12 timeout 6 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x712c20], ldap[0x756770] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x712c20], ldap[0x756770] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 12 finished (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for simecek.tomas at sd-stc.cz (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sysdb_update_members_ex] (0x0020): Could not add member [ simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz ,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 20051 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [simecek.tomas at sd-stc.cz] is empty, running request [0x755710] immediately. (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [get_port_status] (0x1000): Port status of port 0 for server 'svlxxipap.linuxdomain.cz' is 'working' (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [get_server_status] (0x1000): Status of server 'svlxxipap.linuxdomain.cz' is 'working' (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [be_resolve_server_process] (0x0200): Found address for server svlxxipap.linuxdomain.cz: [10.1.123.103] TTL 1200 (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// svlxxipap.linuxdomain.cz' (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_sLkk1j] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_sLkk1j] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [20056] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [20056] (Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getDomains on path /org/freedesktop/sssd/dataprovider (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [be_get_subdomains] (0x0400): Got get subdomains [SD-STC] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaRangeType] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13 (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 13 timeout 6 (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x179ad10], ldap[0x756770] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=LINUXDOMAIN.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x179ad10], ldap[0x756770] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=SD-STC.CZ_id_range,cn=ranges,cn=etc,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaRangeType] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x179ad10], ldap[0x756770] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 13 finished (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustDirection] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7129e0], ldap[0x756770] (Thu Jul 14 09:53:58 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7129e0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sd-stc.cz,cn=ad,cn=trusts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustDirection] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7129e0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_is_member_dom] (0x0400): 4th component is not 'trust', not a member domain (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_get_forest] (0x2000): The forest name is sd-stc.cz (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_subdom_store] (0x0200): Trust direction of sd-stc.cz is trust direction not set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_with_filter_send] (0x2000): Server supports OpenLDAP deref (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x775c00], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x775c00], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x775c00], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_view_name_done] (0x0400): No view found, using default. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_view_name_done] (0x0400): Found view name [default]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [20056]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [20056] finished successfully. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][3][45]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][24]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): TGT times are [1468482837][1468482837][1468518837][1468569237]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working' (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [set_server_common_status] (0x0100): Marking server ' svlxxipap.linuxdomain.cz' as 'working' (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as 'working' (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue] (0x1000): Wait queue for user [simecek.tomas at sd-stc.cz] is empty. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x755710] done. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [linuxdomain.cz] to [sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): domain: sd-stc.cz (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): user: simecek.tomas at sd-stc.cz (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): service: sudo (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): ruser: simecek.tomas at sd-stc.cz (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): rhost: (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): priv: 0 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): cli_pid: 20051 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [pam_print_data] (0x0100): logon name: not set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_access_send] (0x0400): Performing access check for user [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD access control (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [ simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=zp-cml-test.linuxdomain.cz ))][cn=accounts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 16 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 16 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= zp-cml-test.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] using OpenLDAP deref (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 17 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7680b0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 17 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACService)] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 18 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 18 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(objectClass=ipaHBACServiceGroup)] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 19 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 19 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linuxdomain,dc=cz][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn= zp-cml-test.linuxdomain.cz ,cn=computers,cn=accounts,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz)(memberHost=ipaUniqueID=07eac210-3dd9-11e6-abdf-005056961bfa,cn=sudorules,cn=sudo,dc=linuxdomain,dc=cz)))][cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 20 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x754780], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x754780], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=9496e5d6-3cf8-11e6-abf9-005056961bfa,cn=hbac,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x754780], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 20 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_users] (0x2000): No such entry (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=grpunixadmins,cn=groups,cn=accounts,dc=linuxdomain,dc=cz)) (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [grpunixadmins] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sudo-i] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=spcss-2t-www.linuxdomain.cz,cn=computers,cn=accounts,dc=linuxdomain,dc=cz] does not map to either a host or hostgroup. Skipping (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_host_attrs_to_rule] (0x2000): Added host [zp-cml-test.linuxdomain.cz] to rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): [8] groups for [simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=wifi,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=UnixAdmins,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=administrator_Storage_DG,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=mfcr_MFG,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=ProvozSluzeb_DG,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=central_DG,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=bdcdocswriters,CN=Users,DC=sd-stc,DC=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [hbac_eval_user_element] (0x1000): Added group [grpunixadmins] for user [ simecek.tomas at sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Unixari na test servery] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_get_selinux_send] (0x2000): Connection status is [online]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaMigrationEnabled] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 21 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaMigrationEnabled] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapDefault] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSELinuxUserMapOrder] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x74a420], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 21 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_print_server] (0x2000): Searching 10.1.123.103 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=linuxdomain,dc=cz]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_add] (0x2000): New operation 22 timeout 60 (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7548e0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[0x7548e0], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [20058] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [20058] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7516d0], connected[1], ops[(nil)], ldap[0x756770] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz] (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x1000): Waiting for child [20058]. (Thu Jul 14 09:53:59 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler] (0x0100): child [20058] finished successfully. Thanks for trying to help guys. Any idea what might be wrong? Thanks T. 2016-07-14 9:17 GMT+02:00 Lukas Slebodnik : > On (13/07/16 10:32), Danila Ladner wrote: > >Update to this one: > >It has been running smoothly on 6.5 > > > >[root at dev-zlei.sec1 ~]# cat /etc/redhat-release > >CentOS release 6.5 (Final) > > > >[root at dev-zlei.sec1 ~]# rpm -qa | grep sssd > >sssd-client-1.12.4-47.el6.x86_64 > >sssd-ldap-1.12.4-47.el6.x86_64 > >sssd-ad-1.12.4-47.el6.x86_64 > >python-sssdconfig-1.12.4-47.el6.noarch > >sssd-common-1.12.4-47.el6.x86_64 > >sssd-proxy-1.12.4-47.el6.x86_64 > >sssd-common-pac-1.12.4-47.el6.x86_64 > >sssd-krb5-1.12.4-47.el6.x86_64 > >sssd-ipa-1.12.4-47.el6.x86_64 > >sssd-krb5-common-1.12.4-47.el6.x86_64 > >sssd-1.12.4-47.el6.x86_64 > > > +1 for latest sssd even on CentOS 6.5. > > If you have a problem with 1.12 (from 6.7) > then we can look into log files. > Because there is a still a chance that oyu just hit > a bug in 1.11 which is solved in 1.12 > > If it will not work then please provide > sssd.conf + log files with high debug_level sssd_sudo.log > and sssd_$domain.log > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bob at jackland.demon.co.uk Thu Jul 14 08:14:41 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Thu, 14 Jul 2016 09:14:41 +0100 Subject: [Freeipa-users] named-pkcs11 fails to start on new replica [SOLVED] In-Reply-To: <2aa0dd5b-7f9b-0e14-92c4-4ee5ed616d32@redhat.com> References: <2aa0dd5b-7f9b-0e14-92c4-4ee5ed616d32@redhat.com> Message-ID: <38c2f61d-1fd2-d958-6517-c108b0bb4287@jackland.demon.co.uk> On 14/07/2016 08:39, Martin Babinsky wrote: > On 07/13/2016 09:56 PM, Bob Hinton wrote: >> Hi, >> >> We are trying to create a new replica on RHEL 7.2 >> >> This completes but named-pkcs11 fails to start - >> >> systemctl status named-pkcs11.service >> ? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native >> PKCS#11 >> Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; >> disabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; >> 51min ago >> Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS >> (code=exited, status=1/FAILURE) >> Process: 25910 ExecStartPre=/bin/bash -c if [ ! >> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z >> /etc/named.conf; else echo "Checking of zone files is disabled"; fi >> (code=exited, status=0/SUCCESS) >> >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. >> Support and training for BIND 9 are >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at >> https://www.isc.org/support >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: >> ---------------------------------------------------- >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on >> open files from 4096 to 1048576 >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, >> using 1 worker thread >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP >> listener per interface >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: >> control process exited, code=exited status=1 >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley >> Internet Name Domain (DNS) with native PKCS#11. >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service >> entered failed state. >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service >> failed. >> >> # /usr/sbin/named-pkcs11 -d 9 -g >> 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 >> -d 9 -g >> 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' >> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' >> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' >> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' >> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' >> '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' >> '--disable-openssl-version-check' '--enable-exportlib' >> '--with-export-libdir=/usr/lib64' >> '--with-export-includedir=/usr/include' >> '--includedir=/usr/include/bind9' '--enable-native-pkcs11' >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' >> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' >> '--disable-isc-spnego' '--enable-fixed-rrset' >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' >> 'build_alias=x86_64-redhat-linux-gnu' >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall >> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong >> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' >> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' >> 13-Jul-2016 19:31:01.283 >> ---------------------------------------------------- >> 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems >> Consortium, >> 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND >> 9 are >> 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support >> 13-Jul-2016 19:31:01.284 >> ---------------------------------------------------- >> 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to >> 1048576 >> 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread >> 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface >> 13-Jul-2016 19:31:01.284 using up to 4096 sockets >> 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver >> 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' >> 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' >> 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed >> 13-Jul-2016 19:31:01.287 exiting (due to fatal error) >> >> # tail -2 /var/log >> >> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: >> ObjectStore.cpp(59): Failed to enumerate object store in >> /var/lib/softhsm/tokens/ >> >> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): >> Could not load the object store >> >> I've tried "ipa-server-upgrade" and >> >> mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD >> >> ipa-dns-install >> >> But I haven't managed to fix it. >> >> Using "ipactl start -f" means the rest of the ipa services seem to work >> properly, but without named. >> >> Is there a way to fix the named issue or is it much simpler to >> disconnect the replica, uninstall it and start again ? >> >> Thanks >> >> Bob Hinton >> >> >> > > Hi Bob, > > If your SElinux is in enforcing mode I would check for AVCs, maybe the > token directory is mislabeled. > > You also may be hitting > https://fedorahosted.org/freeipa/ticket/5520 , there is a workaround > described in the ticket. > Hi Martin, It was the umask on RHEL 7.2 that had caused the problem as per ticket 5520 chmod 770 /var/lib/ipa/dnssec chmod 644 /etc/ipa/dnssec/softhsm2.conf ipactl restart Fixed it Many thanks Bob From lslebodn at redhat.com Thu Jul 14 08:38:16 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 14 Jul 2016 10:38:16 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> Message-ID: <20160714083815.GC19244@10.4.128.1> On (14/07/16 10:09), Tomas Simecek wrote: >Thanks all of you guys, >I have updated to: >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 >sssd-1.13.3-22.el6_8.4.x86_64 >sssd-ldap-1.13.3-22.el6_8.4.x86_64 >sssd-client-1.13.3-22.el6_8.4.x86_64 >sssd-ad-1.13.3-22.el6_8.4.x86_64 >sssd-proxy-1.13.3-22.el6_8.4.x86_64 >libsss_idmap-1.13.3-22.el6_8.4.x86_64 >sssd-common-1.13.3-22.el6_8.4.x86_64 >sssd-ipa-1.13.3-22.el6_8.4.x86_64 >python-sssdconfig-1.13.3-22.el6_8.4.noarch >sssd-krb5-1.13.3-22.el6_8.4.x86_64 >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 >(there does not seem to be libsss_sudo in Centos as suggested by Danila). >and restarted sssd. > >There are two rules enabled. One HBAC as I presented earlier: > Rule name: Unixari na test servery > Enabled: TRUE > User Groups: grpunixadmins > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > Services: login, sshd, sudo, sudo-i, su, su-l > >and one sudo rule: >Rule name: Pokusne > Enabled: TRUE > Command category: all > User Groups: grpunixadmins > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > >Default "all-access" rules are disabled. > >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I >still get: > >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf >[sudo] password for simecek.tomas at sd-stc.cz: >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will be >reported. > >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). > >sssd.conf: >[domain/linuxdomain.cz] >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = linuxdomain.cz >id_provider = ipa >krb5_realm = LINUXDOMAIN.CZ >auth_provider = ipa >access_provider = ipa >ipa_hostname = zp-cml-test.linuxdomain.cz >chpass_provider = ipa >ipa_server = svlxxipap.linuxdomain.cz >ldap_tls_cacert = /etc/ipa/ca.crt >override_shell = /bin/bash >sudo_provider = ipa >ldap_uri = ldap://svlxxipap.linuxdomain.cz >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >ldap_sasl_mech = GSSAPI >#ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz >ldap_sasl_realm = LINUXDOMAIN.CZ >krb5_server = svlxxipap.linuxdomain.cz >debug_level = 0x3ff0 >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 >domains = linuxdomain.cz >[nss] >homedir_substring = /home >[pam] >[sudo] >debug_level = 0x3ff0 >[autofs] >[ssh] >[pac] >[ifp] > > >sssd_sudo.log from the moment I tried sudo: >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >(0x0400): No such entry >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% >account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About >to get sudo rules from cache >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >(0x0400): No such entry >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% >unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz >)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz >)(sudoUser=+*)))] >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client >disconnected! >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x260b690][17] >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >Received SBUS method org.freedesktop.sssd.service.ping on path >/org/freedesktop/sssd/service >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): >Not a sysbus message, quit >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): >Client connected! >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >Received client version [1]. >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >Offered version [1]. >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >protocol version [1] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >sd-stc.cz', user is simecek.tomas >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >sd-stc.cz', user is simecek.tomas >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [simecek.tomas at sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): >Returning info for user [simecek.tomas at sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >(0x0400): No such entry >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About >to get sudo rules from cache >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 0 rules for [@sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >protocol version [1] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >sd-stc.cz', user is simecek.tomas >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >sd-stc.cz', user is simecek.tomas >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [simecek.tomas at sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): >Returning info for user [simecek.tomas at sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >(0x0400): No such entry >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About >to get sudo rules from cache >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >(0x0400): No such entry >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=simecek.tomas at sd-stc.cz >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% >unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))] >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] Your user does not have any valid sudo rules. It might be caused by wrong group membership. Are you sure that user simecek.tomas at sd-stc.cz is member of group grpunixadmins BTW this is described in sudo troubleshooting wiki https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO LS From simecek.tomas at gmail.com Thu Jul 14 09:26:39 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 11:26:39 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714083815.GC19244@10.4.128.1> References: <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> Message-ID: Hi Lukas, we have Active Directory group "UnixAdmins" . We have IPA external group ad_admins_external , which has Windows "UnixAdmins" group as a member. We have local IPA group grpunixadmins , which has ad_admins_external group as a member. So from that perspective user simecek.tomas at sd-stc.cz is a member of grpunixadmins . That setup works for ssh logins and for sudo on Centos 7.0. It is as per installation document https://www.freeipa.org/page/Active_Directory_trust_setup Correct me if I am wrong, but if it works on Client 1, it should also work on Client 2. T. 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik : > On (14/07/16 10:09), Tomas Simecek wrote: > >Thanks all of you guys, > >I have updated to: > >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 > >sssd-1.13.3-22.el6_8.4.x86_64 > >sssd-ldap-1.13.3-22.el6_8.4.x86_64 > >sssd-client-1.13.3-22.el6_8.4.x86_64 > >sssd-ad-1.13.3-22.el6_8.4.x86_64 > >sssd-proxy-1.13.3-22.el6_8.4.x86_64 > >libsss_idmap-1.13.3-22.el6_8.4.x86_64 > >sssd-common-1.13.3-22.el6_8.4.x86_64 > >sssd-ipa-1.13.3-22.el6_8.4.x86_64 > >python-sssdconfig-1.13.3-22.el6_8.4.noarch > >sssd-krb5-1.13.3-22.el6_8.4.x86_64 > >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 > >(there does not seem to be libsss_sudo in Centos as suggested by Danila). > >and restarted sssd. > > > >There are two rules enabled. One HBAC as I presented earlier: > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > > >and one sudo rule: > >Rule name: Pokusne > > Enabled: TRUE > > Command category: all > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > > >Default "all-access" rules are disabled. > > > >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I > >still get: > > > >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > >[sudo] password for simecek.tomas at sd-stc.cz: > >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will > be > >reported. > > > >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). > > > >sssd.conf: > >[domain/linuxdomain.cz] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = linuxdomain.cz > >id_provider = ipa > >krb5_realm = LINUXDOMAIN.CZ > >auth_provider = ipa > >access_provider = ipa > >ipa_hostname = zp-cml-test.linuxdomain.cz > >chpass_provider = ipa > >ipa_server = svlxxipap.linuxdomain.cz > >ldap_tls_cacert = /etc/ipa/ca.crt > >override_shell = /bin/bash > >sudo_provider = ipa > >ldap_uri = ldap://svlxxipap.linuxdomain.cz > >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > >ldap_sasl_mech = GSSAPI > >#ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ > >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > >ldap_sasl_realm = LINUXDOMAIN.CZ > >krb5_server = svlxxipap.linuxdomain.cz > >debug_level = 0x3ff0 > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > >domains = linuxdomain.cz > >[nss] > >homedir_substring = /home > >[pam] > >[sudo] > >debug_level = 0x3ff0 > >[autofs] > >[ssh] > >[pac] > >[ifp] > > > > > >sssd_sudo.log from the moment I tried sudo: > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% > >account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% > >unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz > >)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz > >)(sudoUser=+*)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client > >disconnected! > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x260b690][17] > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > >Received SBUS method org.freedesktop.sssd.service.ping on path > >/org/freedesktop/sssd/service > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): > >Not a sysbus message, quit > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > >Client connected! > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Received client version [1]. > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Offered version [1]. > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > >Returning info for user [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > >Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > >Returning info for user [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > >Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% > >unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] > Your user does not have any valid sudo rules. > It might be caused by wrong group membership. > Are you sure that user simecek.tomas at sd-stc.cz is member of group > grpunixadmins > > BTW this is described in sudo troubleshooting wiki > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rob.verduijn at gmail.com Thu Jul 14 09:51:43 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Thu, 14 Jul 2016 11:51:43 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714083815.GC19244@10.4.128.1> References: <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> Message-ID: hi, just a long shot here.. I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real' path for the sudo rule : ALL=(ALL) /usr/bin/cat on centos6 which cat also says /bin/cat but since /bin is not a symlink it requires the sudo rule to be ALL=(ALL) /bin/cat so for the sudo to work on both centos6 and centos7 you would require 2 sudo rules. Ignore me if this is irrelevant. Just my 2 cents Rob 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik : > On (14/07/16 10:09), Tomas Simecek wrote: > >Thanks all of you guys, > >I have updated to: > >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 > >sssd-1.13.3-22.el6_8.4.x86_64 > >sssd-ldap-1.13.3-22.el6_8.4.x86_64 > >sssd-client-1.13.3-22.el6_8.4.x86_64 > >sssd-ad-1.13.3-22.el6_8.4.x86_64 > >sssd-proxy-1.13.3-22.el6_8.4.x86_64 > >libsss_idmap-1.13.3-22.el6_8.4.x86_64 > >sssd-common-1.13.3-22.el6_8.4.x86_64 > >sssd-ipa-1.13.3-22.el6_8.4.x86_64 > >python-sssdconfig-1.13.3-22.el6_8.4.noarch > >sssd-krb5-1.13.3-22.el6_8.4.x86_64 > >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 > >(there does not seem to be libsss_sudo in Centos as suggested by Danila). > >and restarted sssd. > > > >There are two rules enabled. One HBAC as I presented earlier: > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > > >and one sudo rule: > >Rule name: Pokusne > > Enabled: TRUE > > Command category: all > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > > >Default "all-access" rules are disabled. > > > >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I > >still get: > > > >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > >[sudo] password for simecek.tomas at sd-stc.cz: > >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will > be > >reported. > > > >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). > > > >sssd.conf: > >[domain/linuxdomain.cz] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = linuxdomain.cz > >id_provider = ipa > >krb5_realm = LINUXDOMAIN.CZ > >auth_provider = ipa > >access_provider = ipa > >ipa_hostname = zp-cml-test.linuxdomain.cz > >chpass_provider = ipa > >ipa_server = svlxxipap.linuxdomain.cz > >ldap_tls_cacert = /etc/ipa/ca.crt > >override_shell = /bin/bash > >sudo_provider = ipa > >ldap_uri = ldap://svlxxipap.linuxdomain.cz > >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > >ldap_sasl_mech = GSSAPI > >#ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ > >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > >ldap_sasl_realm = LINUXDOMAIN.CZ > >krb5_server = svlxxipap.linuxdomain.cz > >debug_level = 0x3ff0 > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > >domains = linuxdomain.cz > >[nss] > >homedir_substring = /home > >[pam] > >[sudo] > >debug_level = 0x3ff0 > >[autofs] > >[ssh] > >[pac] > >[ifp] > > > > > >sssd_sudo.log from the moment I tried sudo: > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% > >account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% > >unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz > >)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz > >)(sudoUser=+*)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client > >disconnected! > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x260b690][17] > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > >Received SBUS method org.freedesktop.sssd.service.ping on path > >/org/freedesktop/sssd/service > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] > (0x2000): > >Not a sysbus message, quit > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): > >Client connected! > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Received client version [1]. > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > >Offered version [1]. > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > >Returning info for user [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > >Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [@sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' > >sd-stc.cz', user is simecek.tomas > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): > >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): > >Returning info for user [simecek.tomas at sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > >Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% > >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_mfg at sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.tomas at sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% > >unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))] > >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] > Your user does not have any valid sudo rules. > It might be caused by wrong group membership. > Are you sure that user simecek.tomas at sd-stc.cz is member of group > grpunixadmins > > BTW this is described in sudo troubleshooting wiki > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Thu Jul 14 10:02:59 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 12:02:59 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160713114408.GC15067@10.4.128.1> <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> Message-ID: Hi Rob, thanks, but this is not the case. Firstly, for initial test purposes I am not limiting sudo to specific commands, in the rule it is set to "any". Secondly, it fails even in non-symlink cases: [root at zp-cml-test ~]# which service /sbin/service [root at zp-cml-test ~]# ll /sbin/service -rwxr-xr-x. 1 root root 1694 Oct 16 2014 /sbin/service [root at zp-cml-test ~]# logout [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart [sudo] password for simecek.tomas at sd-stc.cz: simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will be reported. Thanks anyway, let me know if something else comes to your mind. Tomas 2016-07-14 11:51 GMT+02:00 Rob Verduijn : > hi, > > just a long shot here.. > > I've been battling sudo for a couple days now and found that my issue was > one related to symlinks > on centos7 'which cat' says /bin/cat > but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when > it sees one and to prevent abuse it requires the 'real' path for the sudo > rule : ALL=(ALL) /usr/bin/cat > on centos6 which cat also says /bin/cat but since /bin is not a symlink it > requires the sudo rule to be ALL=(ALL) /bin/cat > so for the sudo to work on both centos6 and centos7 you would require 2 > sudo rules. > > Ignore me if this is irrelevant. > > Just my 2 cents > Rob > > 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik : > >> On (14/07/16 10:09), Tomas Simecek wrote: >> >Thanks all of you guys, >> >I have updated to: >> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 >> >sssd-1.13.3-22.el6_8.4.x86_64 >> >sssd-ldap-1.13.3-22.el6_8.4.x86_64 >> >sssd-client-1.13.3-22.el6_8.4.x86_64 >> >sssd-ad-1.13.3-22.el6_8.4.x86_64 >> >sssd-proxy-1.13.3-22.el6_8.4.x86_64 >> >libsss_idmap-1.13.3-22.el6_8.4.x86_64 >> >sssd-common-1.13.3-22.el6_8.4.x86_64 >> >sssd-ipa-1.13.3-22.el6_8.4.x86_64 >> >python-sssdconfig-1.13.3-22.el6_8.4.noarch >> >sssd-krb5-1.13.3-22.el6_8.4.x86_64 >> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 >> >(there does not seem to be libsss_sudo in Centos as suggested by Danila). >> >and restarted sssd. >> > >> >There are two rules enabled. One HBAC as I presented earlier: >> > Rule name: Unixari na test servery >> > Enabled: TRUE >> > User Groups: grpunixadmins >> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz >> > Services: login, sshd, sudo, sudo-i, su, su-l >> > >> >and one sudo rule: >> >Rule name: Pokusne >> > Enabled: TRUE >> > Command category: all >> > User Groups: grpunixadmins >> > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz >> > >> >Default "all-access" rules are disabled. >> > >> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I >> >still get: >> > >> >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf >> >[sudo] password for simecek.tomas at sd-stc.cz: >> >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will >> be >> >reported. >> > >> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). >> > >> >sssd.conf: >> >[domain/linuxdomain.cz] >> >cache_credentials = True >> >krb5_store_password_if_offline = True >> >ipa_domain = linuxdomain.cz >> >id_provider = ipa >> >krb5_realm = LINUXDOMAIN.CZ >> >auth_provider = ipa >> >access_provider = ipa >> >ipa_hostname = zp-cml-test.linuxdomain.cz >> >chpass_provider = ipa >> >ipa_server = svlxxipap.linuxdomain.cz >> >ldap_tls_cacert = /etc/ipa/ca.crt >> >override_shell = /bin/bash >> >sudo_provider = ipa >> >ldap_uri = ldap://svlxxipap.linuxdomain.cz >> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz >> >ldap_sasl_mech = GSSAPI >> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz at LINUXDOMAIN.CZ >> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz >> >ldap_sasl_realm = LINUXDOMAIN.CZ >> >krb5_server = svlxxipap.linuxdomain.cz >> >debug_level = 0x3ff0 >> >[sssd] >> >services = nss, sudo, pam, ssh >> >config_file_version = 2 >> >domains = linuxdomain.cz >> >[nss] >> >homedir_substring = /home >> >[pam] >> >[sudo] >> >debug_level = 0x3ff0 >> >[autofs] >> >[ssh] >> >[pac] >> >[ifp] >> > >> > >> >sssd_sudo.log from the moment I tried sudo: >> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> >(0x0400): No such entry >> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] >> >(0x0200): Searching sysdb with >> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz >> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=% >> >account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz >> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] >> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About >> >to get sudo rules from cache >> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> >(0x0400): No such entry >> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] >> >(0x0200): Searching sysdb with >> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= >> simecek.tomas at sd-stc.cz >> >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% >> >unixadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% >> mfcr_mfg at sd-stc.cz >> >)(sudoUser=%account at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz >> >)(sudoUser=+*)))] >> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] >> >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] >> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client >> >disconnected! >> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): >> >Terminated client [0x260b690][17] >> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >> >Received SBUS method org.freedesktop.sssd.service.ping on path >> >/org/freedesktop/sssd/service >> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_get_sender_id_send] >> (0x2000): >> >Not a sysbus message, quit >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): >> >Client connected! >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> >Received client version [1]. >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> >Offered version [1]. >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >> >protocol version [1] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> >sd-stc.cz', user is simecek.tomas >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> >sd-stc.cz', user is simecek.tomas >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> >(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz >> ] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >> >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> >Requesting info about [simecek.tomas at sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> >Returning info for user [simecek.tomas at sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> >Retrieving default options for [simecek.tomas at sd-stc.cz] from [sd-stc.cz >> ] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> >(0x0400): No such entry >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] >> >(0x0200): Searching sysdb with >> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% >> >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% >> mfcr_mfg at sd-stc.cz >> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About >> >to get sudo rules from cache >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] >> >(0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(name=defaults)))] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] >> >(0x0400): Returning 0 rules for [@sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >> >protocol version [1] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> >sd-stc.cz', user is simecek.tomas >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> >(0x0200): name 'simecek.tomas at sd-stc.cz' matched expression for domain ' >> >sd-stc.cz', user is simecek.tomas >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> >(0x0200): Requesting rules for [simecek.tomas] from [sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >> >Checking negative cache for [NCE/USER/sd-stc.cz/simecek.tomas] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> >Requesting info about [simecek.tomas at sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> >Returning info for user [simecek.tomas at sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> >Retrieving rules for [simecek.tomas at sd-stc.cz] from [sd-stc.cz] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> >(0x0400): No such entry >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] >> >(0x0200): Searching sysdb with >> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= >> >simecek.tomas at sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ >> >20users at sd-stc.cz)(sudoUser=%unixadmins at sd-stc.cz)(sudoUser=% >> >wifiadmins at sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% >> mfcr_mfg at sd-stc.cz >> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482835)))] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About >> >to get sudo rules from cache >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] [sysdb_search_group_by_gid] >> >(0x0400): No such entry >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] >> >(0x0200): Searching sysdb with >> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= >> simecek.tomas at sd-stc.cz >> >)(sudoUser=#988604700)(sudoUser=%domain\20users at sd-stc.cz)(sudoUser=% >> >unixadmins at sd-stc.cz)(sudoUser=%wifiadmins at sd-stc.cz >> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_mfg at sd-stc.cz)(sudoUser=+*)))] >> >(Thu Jul 14 09:53:55 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] >> >(0x0400): Returning 0 rules for [simecek.tomas at sd-stc.cz] >> Your user does not have any valid sudo rules. >> It might be caused by wrong group membership. >> Are you sure that user simecek.tomas at sd-stc.cz is member of group >> grpunixadmins >> >> BTW this is described in sudo troubleshooting wiki >> >> https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >> >> LS >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Thu Jul 14 10:21:38 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 14 Jul 2016 12:21:38 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> Message-ID: <20160714102137.GE19244@10.4.128.1> On (14/07/16 11:26), Tomas Simecek wrote: >Hi Lukas, >we have Active Directory group "UnixAdmins" >. >We have IPA external group ad_admins_external >, which has >Windows "UnixAdmins" group as a member. >We have local IPA group grpunixadmins >, which has >ad_admins_external group as a member. >So from that perspective user simecek.tomas at sd-stc.cz is a member of >grpunixadmins . >That setup works for ssh logins and for sudo on Centos 7.0. > If user is member of group in IPA it does not mean that it's properly propagated to client :-) I can see few errors in log >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >object](32)[ldb_wait: No such object (32)] >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_update_members_ex] (0x0020): Could not add member [ >simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[ipa_s2n_save_objects] (0x2000): Updating memberships for >simecek.tomas at sd-stc.cz >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such >object](32)[ldb_wait: No such object (32)] >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] >[sysdb_update_members_ex] (0x0020): Could not add member [ >simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. Please test with id simecek.tomas at sd-stc.cz. I'm preatty sure that you will not see a group grpunixadmins. BTW according to domain logs it looks like a bug with extop plugin on freeipa server. I assume that ipa server is on CentOS 7.0 because you mention it works on Centos 7.0. I would strongly recommend to upgrade server to 7.2 LS From simecek.tomas at gmail.com Thu Jul 14 10:43:10 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 12:43:10 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714102137.GE19244@10.4.128.1> References: <3D4A090E-ECC1-4DBF-956B-225D984D001C@gmail.com> <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> Message-ID: Thanks Lukas, to be honest I am not sure what do you mean by "Please test with id simecek.tomas at sd-stc.cz." It is the user I am testing with all the time. Here is what I see on client where sudo does not work: [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ id uid=988604700(simecek.tomas at sd-stc.cz) gid=988604700(simecek.tomas at sd-stc.cz) groups=988604700(simecek.tomas at sd-stc.cz),431200004(grpunixadmins),988600513(domain users at sd-stc.cz),988604182(account at sd-stc.cz),988604754(mfcr_mfg at sd-stc.cz ),988604825(unixadmins at sd-stc.cz),988604833(wifiadmins at sd-stc.cz) You can see Centos 6.6 client knows about all the groups assigned to the users, incl. AD groups (unixadmins), which seems funny to me. You are right, IPA server is Centos 7.0 and functional client is Centos 7.0 as well. Both login and sudo work on client with Centos 7.0. Rules on IPA server are set to work on both clients, but work only on 7.0. If I run update on server, it would update ipa-server from v. 4.2.0-15.0.1.el7.centos.6.1 to v. 4.2.0-15.0.1.el7.centos.17. Does it make sense now? Thanks T. 2016-07-14 12:21 GMT+02:00 Lukas Slebodnik : > On (14/07/16 11:26), Tomas Simecek wrote: > >Hi Lukas, > >we have Active Directory group "UnixAdmins" > >. > >We have IPA external group ad_admins_external > >, which has > >Windows "UnixAdmins" group as a member. > >We have local IPA group grpunixadmins > >, which has > >ad_admins_external group as a member. > >So from that perspective user simecek.tomas at sd-stc.cz is a member of > >grpunixadmins . > >That setup works for ssh logins and for sudo on Centos 7.0. > > > If user is member of group in IPA it does not mean that > it's properly propagated to client :-) > > I can see few errors in log > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > >object](32)[ldb_wait: No such object (32)] > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_update_members_ex] (0x0020): Could not add member [ > >simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz > >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[ipa_s2n_save_objects] (0x2000): Updating memberships for > >simecek.tomas at sd-stc.cz > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > >object](32)[ldb_wait: No such object (32)] > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]] > >[sysdb_update_members_ex] (0x0020): Could not add member [ > >simecek.tomas at sd-stc.cz] to group [name=simecek.tomas at sd-stc.cz > >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. > > Please test with id simecek.tomas at sd-stc.cz. > I'm preatty sure that you will not see a group grpunixadmins. > > BTW according to domain logs it looks like a bug with extop plugin > on freeipa server. I assume that ipa server is on CentOS 7.0 > because you mention it works on Centos 7.0. > > I would strongly recommend to upgrade server to 7.2 > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Thu Jul 14 10:49:44 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 14 Jul 2016 12:49:44 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> Message-ID: <20160714104943.GG19244@10.4.128.1> On (14/07/16 12:43), Tomas Simecek wrote: >Thanks Lukas, >to be honest I am not sure what do you mean by "Please test with id >simecek.tomas at sd-stc.cz." >It is the user I am testing with all the time. > >Here is what I see on client where sudo does not work: >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ id >uid=988604700(simecek.tomas at sd-stc.cz) gid=988604700(simecek.tomas at sd-stc.cz) >groups=988604700(simecek.tomas at sd-stc.cz),431200004(grpunixadmins),988600513(domain >users at sd-stc.cz),988604182(account at sd-stc.cz),988604754(mfcr_mfg at sd-stc.cz >),988604825(unixadmins at sd-stc.cz),988604833(wifiadmins at sd-stc.cz) > hmm, the user is member of grpunixadmins. Then I wonder why sssd could not find a sudo rules for the user. I would like to see full log file + dump of sssd cache. Please: * clean cache and log files on client rm -f /var/lib/sss/db/* /var/log/sssd/* * enable debug_level=9 in domain section and sudo * restart sssd * authernticate with usersimecek.tomas at sd-stc.cz * try sudo. * send all sssd log files * provide dump of sssd cache ldbsearch -H /var/lib/sss/db/cache_$domain.ldb (utility ldbsearch is part of package ldb-tools LS From mkosek at redhat.com Thu Jul 14 10:57:44 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 14 Jul 2016 12:57:44 +0200 Subject: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl In-Reply-To: References: Message-ID: On 07/13/2016 04:24 AM, Devin Acosta wrote: > > I was trying to create another Replica but then noticed it was constantly having > issues trying to finish the joining of the replication. I then ran the command: > repl-monitor.pl , It appears i have several replicaid's > and they seem to be having issues, wondering if this is adding to my issue. > > Anyone know how I can resolve this issue and clean up the replication??? > > See attached Screenshot. I wonder if cleaning RUVs help: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/trouble-replica.html#trouble-repl-cleanruv From bcesarone156 at gmail.com Fri Jul 8 17:45:33 2016 From: bcesarone156 at gmail.com (Brad Cesarone) Date: Fri, 8 Jul 2016 12:45:33 -0500 Subject: [Freeipa-users] Sync & BaseDN change Message-ID: Hello I hope this finds the right thread because the original thread was replied ot the list and not my email... I need to sync to another ldap directory which has a different SUFFIX than IPA sets up. I successfully imported from our OpenLDAP to IPA but I still need to sync with a separate master ldap server. So the provider server suffix is dc=example,dc=com. This suffix is different than the DNS suffix and there is no kerberos realm to match too for the provider side. IPA server suffix is dc=domain, dc=com. So the two options I see is create a script which connects and compares both ldaps ensuring it can match to different suffixs or some how change the suffix of the originally installed -------------- next part -------------- An HTML attachment was scrubbed... URL: From bob at jackland.demon.co.uk Wed Jul 13 18:51:22 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 13 Jul 2016 19:51:22 +0100 Subject: [Freeipa-users] named-pkcs11 fails on new ipa replica Message-ID: <6c32983d-386a-7915-8949-74d55253cff4@jackland.demon.co.uk> Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; 51min ago Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 25910 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. Support and training for BIND 9 are Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at https://www.isc.org/support Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: ---------------------------------------------------- Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on open files from 4096 to 1048576 Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, using 1 worker thread Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP listener per interface Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service entered failed state. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. # /usr/sbin/named-pkcs11 -d 9 -g 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' 13-Jul-2016 19:31:01.283 ---------------------------------------------------- 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems Consortium, 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support 13-Jul-2016 19:31:01.284 ---------------------------------------------------- 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface 13-Jul-2016 19:31:01.284 using up to 4096 sockets 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed 13-Jul-2016 19:31:01.287 exiting (due to fatal error) # tail -2 /var/log Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): Could not load the object store I've tried "ipa-server-upgrade" and mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD ipa-dns-install But I haven't managed to fix it. Using "ipactl start -f" means the rest of the ipa services seem to work properly, but without named. Is there a way to fix the named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton From grantwu at andrew.cmu.edu Thu Jul 14 05:13:05 2016 From: grantwu at andrew.cmu.edu (Grant Wu) Date: Thu, 14 Jul 2016 01:13:05 -0400 Subject: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment Message-ID: Hi all, I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a pain point for quite some time. I've heard that FreeIPA might be a solution worth exploring. I would like to try to avoid user visible disruption if possible, however. This means that we would like to keep our Kerberos realm name, keep AFS cross-realm authentication working, etc. UIDs remaining the same would be good; I'd have to think about Essentially all of our clients are various flavors of Debian; mostly Jessie (we have an unfortunate number of older machines that I hope to upgrade soon). Has anyone done something like this before? Anyone have any ideas what the migration path would look like or whether this is even possible? Thanks, Grant Wu grantwu at andrew.cmu.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: From simecek.tomas at gmail.com Thu Jul 14 11:06:05 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 13:06:05 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714104943.GG19244@10.4.128.1> References: <07DD9DBA-6DB7-424E-84AD-96EA555766D9@gmail.com> <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> <20160714104943.GG19244@10.4.128.1> Message-ID: Hi Lukas, I did as you said. Logs are attached to this mail. Thanks for helping. T. 2016-07-14 12:49 GMT+02:00 Lukas Slebodnik : > On (14/07/16 12:43), Tomas Simecek wrote: > >Thanks Lukas, > >to be honest I am not sure what do you mean by "Please test with id > >simecek.tomas at sd-stc.cz." > >It is the user I am testing with all the time. > > > >Here is what I see on client where sudo does not work: > >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ id > >uid=988604700(simecek.tomas at sd-stc.cz) gid=988604700( > simecek.tomas at sd-stc.cz) > >groups=988604700(simecek.tomas at sd-stc.cz > ),431200004(grpunixadmins),988600513(domain > >users at sd-stc.cz),988604182(account at sd-stc.cz),988604754( > mfcr_mfg at sd-stc.cz > >),988604825(unixadmins at sd-stc.cz),988604833(wifiadmins at sd-stc.cz) > > > hmm, the user is member of grpunixadmins. Then I wonder why sssd could not > find > a sudo rules for the user. > > I would like to see full log file + dump of sssd cache. > Please: > * clean cache and log files on client > rm -f /var/lib/sss/db/* /var/log/sssd/* > * enable debug_level=9 in domain section and sudo > * restart sssd > * authernticate with usersimecek.tomas at sd-stc.cz > * try sudo. > * send all sssd log files > * provide dump of sssd cache > ldbsearch -H /var/lib/sss/db/cache_$domain.ldb > (utility ldbsearch is part of package ldb-tools > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logs.zip Type: application/zip Size: 161829 bytes Desc: not available URL: From christophe.trefois at uni.lu Thu Jul 14 11:24:58 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 14 Jul 2016 11:24:58 +0000 Subject: [Freeipa-users] Web UI access from outside the home network via port forwarding In-Reply-To: <20160714055253.GA17625@redhat.com> References: <20160714055253.GA17625@redhat.com> Message-ID: <01325312-7231-44BC-B0F0-E210DBB91322@uni.lu> Hi Jan, Cool doc. Thanks for writing it up! > On 14 Jul 2016, at 07:52, Jan Pazdziora wrote: > > On Mon, Jul 11, 2016 at 07:00:04PM -0700, Harry Kashouli wrote: >> >> I have a freeipa server set up, and would like to access the Web UI >> remotely (from outside my home network). >> >> I set up a fresh Fedora 24 server install, and installed freeipa-server. >> - I own a domain, domain.com >> - The hostname of my freeipa server is hostname.subdomain.domain.com >> - My home network domain is subdomain.domain.com >> >> I set up a CNAME hostname.domain.com and port forwardings, and I tested >> this works with nginx on the same machine; I can successfully see the nginx >> test page. >> I then assumed I could do the same with the freeipa Web UI, but when I >> navigate to http://hostname.domain.com:, it switches to >> https://hostname.subdomain.domain.com:, and with the >> following error: "Server not found" >> >> What am I doing wrong? > > There are some more config tweaks likely needed. > > Writeup > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > should help you resolve the issue. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From lslebodn at redhat.com Thu Jul 14 11:32:45 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 14 Jul 2016 13:32:45 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> <20160714104943.GG19244@10.4.128.1> Message-ID: <20160714113245.GH19244@10.4.128.1> On (14/07/16 13:06), Tomas Simecek wrote: >Hi Lukas, >I did as you said. >Logs are attached to this mail. > Thank you very much for provided data. The main problem is that full refresh of sudo rules did not store any rules. It might be caused by following errors which might be caused by issues with old buggy IPA server on CentOS 7.0 [ipa_s2n_save_objects] (0x2000): Updating memberships for borek.pavel at sd-stc.cz [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) [sysdb_update_members_ex] (0x0020): Could not add member [borek.pavel at sd-stc.cz] to group [name=account at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) [sysdb_update_members_ex] (0x0020): Could not add member [borek.pavel at sd-stc.cz] to group [name=borek.pavel at sd-stc.cz,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping. Attached is a reduced log. You might try new feature in sssd-1.13 on el6 which will avoid using compat tree for sudo. Try to change ldap_sudo_search_base from ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz It does not mean that it will solve issue with extop plugin on IPA server (ipa_s2n_save_objects) If it does not help then please provide the same data as in previous mail. BTW I strogly suspect issues on IPA server on CentOS 7.0. It might work on CentOS 7.0 client only by chance. LS From simecek.tomas at gmail.com Thu Jul 14 11:52:05 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 13:52:05 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714113245.GH19244@10.4.128.1> References: <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> <20160714104943.GG19244@10.4.128.1> <20160714113245.GH19244@10.4.128.1> Message-ID: Hi Lukas, sorry to say, but nothing helps. I have just updated IPA server, so that now it is: [root at svlxxipap ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) with: [root at svlxxipap ~]# rpm -qa|grep ipa ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 python-iniparse-0.4-9.el7.noarch ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 sssd-ipa-1.13.0-40.el7_2.9.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 I have also changed sudoers to sudo in sssd.conf as you suggested and restarted sssd. No difference, still: [simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart [sudo] password for simecek.tomas at sd-stc.cz: simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will be reported. I guess I will pilot some more IPA clients to make sure it works reliably and if yes, I guess we will be able to live with the fact that older Linuxes doe not offer sudo to AD clients. Or do you think there is something more to try? Thanks T. 2016-07-14 13:32 GMT+02:00 Lukas Slebodnik : > On (14/07/16 13:06), Tomas Simecek wrote: > >Hi Lukas, > >I did as you said. > >Logs are attached to this mail. > > > Thank you very much for provided data. > > The main problem is that full refresh of sudo rules did not store any > rules. > > It might be caused by following errors which might be caused by issues > with old buggy IPA server on CentOS 7.0 > > [ipa_s2n_save_objects] (0x2000): Updating memberships for > borek.pavel at sd-stc.cz > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > [sysdb_update_members_ex] (0x0020): Could not add member [ > borek.pavel at sd-stc.cz] to group [name=account at sd-stc.cz,cn=groups,cn= > sd-stc.cz,cn=sysdb]. Skipping. > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > object](32)[ldb_wait: No such object (32)] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > [sysdb_update_members_ex] (0x0020): Could not add member [ > borek.pavel at sd-stc.cz] to group [name=borek.pavel at sd-stc.cz,cn=groups,cn= > sd-stc.cz,cn=sysdb]. Skipping. > > Attached is a reduced log. > > You might try new feature in sssd-1.13 on el6 which will > avoid using compat tree for sudo. > > Try to change ldap_sudo_search_base from > ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz > > It does not mean that it will solve issue with extop plugin > on IPA server (ipa_s2n_save_objects) > > If it does not help then please provide the same data as in previous mail. > BTW I strogly suspect issues on IPA server on CentOS 7.0. > It might work on CentOS 7.0 client only by chance. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsullivan2 at bsd.uchicago.edu Thu Jul 14 12:02:53 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Thu, 14 Jul 2016 12:02:53 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> Message-ID: <32CCB7A7-5B2F-4165-B9F8-8F4A325D0AE7@bsd.uchicago.edu> Hi, I have a brief follow up question regarding this issue; I?m actually not bent on using HBAC; it is a nice feature and I?d like to use it, but at the end of the day I?m not married to the idea of managing this type of policy centrally; in theory, group or user based access control using AllowGroups/AllowUsers in sshd_config should work, as long as GSSAPIAuthentication and UsePAM are enabled, right? I?ve seen a couple of threads that suggest this is possible, although I haven?t seen it explicitly mentioned anywhere in the documentation. I?ve made a brief failed attempt at getting sshd authentication working using AllowGroups in sshd_config, however I haven?t spent a whole lot of time on it yet (I?m running into some issues with PAM, presumably to pre-existing problems with group enumeration). I?m growing concerned about our upcoming IPA implementation because as of now I don?t have a known workaround to the issue described in this thread (it is impacting more than one client). Any advice with respect to a viable workaround to this issue would be appreciated. Thank you so much for your ongoing support. Best, Dan > On Jul 13, 2016, at 2:14 PM, Sullivan, Daniel [AAA] wrote: > > Jakub, Justin, > > Thank you both very much for taking the time to continue helping me resolve this issue. I apologize for not replying right away; I?ve been dealing with a production issue for most of the morning. > > An invocation of ?id a.cri.dsullivan at bsdad.uchicago.edu? on the IPA DC shows me as a member of the POSIX IPA group (cri_server_administrators_ipa at ipa.cri.uchicago.edu) as well as the AD domain group in the trusted domain (cri-aaa_server_administrators at bsdad.uchicago.edu). This remains consistent across any number of successful sshd logins into the DC using my a.cri.dsullivan at bsdad.uchicago.edu account, including after clearing the cache on the DC. > > On the client, I am seeing some unusual behavior. If I run the commands 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/* ; service sssd start? , then run ?id a.cri.dsullivan at bsdad.uchicago.edu?, I see the POSIX IPA group as well as the AD domain group as described above (what I presumably want and expect). However (and this is the unusual part), if I attempt to login via SSH (it will fail with HBAC validation), and then run the ?id a.cri.dsullivan at bsdad.uchicago.edu? command again , the POSIX IPA group disappears from the list of groups output by the id command. From what I can tell, this group will not reappear in the group list on the client until the client cache is cleared. Presumably this behavior is related to the HBAC authentication errors I am experiencing. I have cleared the cache on both the DC and the client using ssh_cache -E and this behavior is still exhibited. With respect to output from testing: > > 1) The sssd domain log from from the client of the initial id invocation (both groups appear) after clearing the cache (on the client) can be found here (this output contains both groups): https://gist.github.com/dsulli99/7117f8d567cc7cdf727d474b0aeab8da > 2) The sssd domain log from the client for the failed sshd login (similar to the output I provided yesterday, however re-captured) can be found here (after this operation the IPA group disappears from the list of groups from the id command): https://gist.github.com/dsulli99/668a8799709ff0cd311b321206591124 > 3) The DC log (after the client cache is cleared) of my running the id invocation (from the client) can be found here (this is the DC side of 1) from above. https://gist.github.com/dsulli99/a2a5e80b6a8b143afa20024aa40a7b39 > 4) The DC log of the the failed sshd login into the client (this is the DC side of 2) from above is https://gist.github.com/dsulli99/4e3ba53c942ad78d7487ae51da92007e > > I really appreciate your help with looking at this issue. As I said I have another machine built from the same image that this is working fine on. I am going to keep plugging away at this, I will let you know if I come up with anything. > > Dan > > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to which > it is addressed and may contain information that is privileged and confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > ******************************************************************************** > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From suygur at firstderivatives.com Thu Jul 14 13:31:34 2016 From: suygur at firstderivatives.com (Stefan Uygur) Date: Thu, 14 Jul 2016 13:31:34 +0000 Subject: [Freeipa-users] Freeipa replication issue Message-ID: <38C784D32FB4354DAED01CCB1BB505351745C5E1@mail01.firstderivatives.com> Hi All, Sorry if this would appear to be an obvious issue and maybe someone has already discussed about it but I couldn't get anywhere information about how to resolve this issue that I am experiencing. Basically I have an IPA master server where the admin password was originally the same as Directory Manager password, within months the admin password was changed and DM left as it was. But I have followed the instructions given in below link to reset DM password: https://www.centos.org/docs/5/html/CDS/install/8.0/Installation_Guide-Common_Usage-Resetting_Passwords.html Which I have tested after the reset using ldapsearch and it seems to be working perfectly. But when I try to prepare the replica it keep telling me that is wrong password as per below: ipa-replica-prepare ipa2.example.com --ip-address 10.0.0.3 Directory Manager (existing master) password: The password provided is incorrect for LDAP server ipa1.example.com Usint the following to test the DM password: ldapsearch -x -D "cn=directory manager" -w DM_PASSWD base -b "" "objectclass=*" Which gives me the correct result, long output.....but again, when I try to prepare replica still getting wrong password. Any help greatly appreciated. Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jul 14 13:38:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 14 Jul 2016 16:38:56 +0300 Subject: [Freeipa-users] Freeipa replication issue In-Reply-To: <38C784D32FB4354DAED01CCB1BB505351745C5E1@mail01.firstderivatives.com> References: <38C784D32FB4354DAED01CCB1BB505351745C5E1@mail01.firstderivatives.com> Message-ID: <20160714133856.p2j66wsicr2hx7aj@redhat.com> On Thu, 14 Jul 2016, Stefan Uygur wrote: >Hi All, >Sorry if this would appear to be an obvious issue and maybe someone has >already discussed about it but I couldn't get anywhere information >about how to resolve this issue that I am experiencing. > >Basically I have an IPA master server where the admin password was >originally the same as Directory Manager password, within months the >admin password was changed and DM left as it was. > >But I have followed the instructions given in below link to reset DM >password: > >https://www.centos.org/docs/5/html/CDS/install/8.0/Installation_Guide-Common_Usage-Resetting_Passwords.html This is incorrect document as it is not relevant to IPA. Use http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >Which I have tested after the reset using ldapsearch and it seems to be >working perfectly. > >But when I try to prepare the replica it keep telling me that is wrong >password as per below: > >ipa-replica-prepare ipa2.example.com --ip-address 10.0.0.3 >Directory Manager (existing master) password: >The password provided is incorrect for LDAP server ipa1.example.com > > >Usint the following to test the DM password: > >ldapsearch -x -D "cn=directory manager" -w DM_PASSWD base -b "" "objectclass=*" > >Which gives me the correct result, long output.....but again, when I >try to prepare replica still getting wrong password. There are more places where DM password is used for replica. You changed it only 389-ds but didn't change other places. Use instructions above. -- / Alexander Bokovoy From suygur at firstderivatives.com Thu Jul 14 14:10:27 2016 From: suygur at firstderivatives.com (Stefan Uygur) Date: Thu, 14 Jul 2016 14:10:27 +0000 Subject: [Freeipa-users] Freeipa replication issue In-Reply-To: <20160714133856.p2j66wsicr2hx7aj@redhat.com> References: <38C784D32FB4354DAED01CCB1BB505351745C5E1@mail01.firstderivatives.com> <20160714133856.p2j66wsicr2hx7aj@redhat.com> Message-ID: <38C784D32FB4354DAED01CCB1BB505351745C60F@mail01.firstderivatives.com> Hi Alexander, Thanks for a quick reply first of all and to be honest actually I have tried that link too, it didn't work either. This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is RHEL 6 When I reproduce the last step of the instructions you provided: ldappasswd -h localhost -ZZ -p 389 -x -D "cn=Directory Manager" -W -T dm_password Enter LDAP Password: ldap_bind: Invalid credentials (49) Or trying this one (because I am not sure if I have dogtag 10): ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -T dm_password Enter LDAP Password: Result: No such object (32) Additional info: No such Entry exists. I couldn't figure out clearly, your help much appreciated wherever you can. Many thanks -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: 14 July 2016 14:39 To: Stefan Uygur Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Freeipa replication issue On Thu, 14 Jul 2016, Stefan Uygur wrote: >Hi All, >Sorry if this would appear to be an obvious issue and maybe someone has >already discussed about it but I couldn't get anywhere information >about how to resolve this issue that I am experiencing. > >Basically I have an IPA master server where the admin password was >originally the same as Directory Manager password, within months the >admin password was changed and DM left as it was. > >But I have followed the instructions given in below link to reset DM >password: > >https://www.centos.org/docs/5/html/CDS/install/8.0/Installation_Guide-C >ommon_Usage-Resetting_Passwords.html This is incorrect document as it is not relevant to IPA. Use http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >Which I have tested after the reset using ldapsearch and it seems to be >working perfectly. > >But when I try to prepare the replica it keep telling me that is wrong >password as per below: > >ipa-replica-prepare ipa2.example.com --ip-address 10.0.0.3 Directory >Manager (existing master) password: >The password provided is incorrect for LDAP server ipa1.example.com > > >Usint the following to test the DM password: > >ldapsearch -x -D "cn=directory manager" -w DM_PASSWD base -b "" "objectclass=*" > >Which gives me the correct result, long output.....but again, when I >try to prepare replica still getting wrong password. There are more places where DM password is used for replica. You changed it only 389-ds but didn't change other places. Use instructions above. -- / Alexander Bokovoy From pvoborni at redhat.com Thu Jul 14 14:14:31 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 14 Jul 2016 16:14:31 +0200 Subject: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl In-Reply-To: References: Message-ID: On 07/14/2016 12:57 PM, Martin Kosek wrote: > On 07/13/2016 04:24 AM, Devin Acosta wrote: >> >> I was trying to create another Replica but then noticed it was constantly having >> issues trying to finish the joining of the replication. I then ran the command: >> repl-monitor.pl , It appears i have several replicaid's >> and they seem to be having issues, wondering if this is adding to my issue. >> >> Anyone know how I can resolve this issue and clean up the replication??? >> >> See attached Screenshot. > > I wonder if cleaning RUVs help: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/trouble-replica.html#trouble-repl-cleanruv > dangling RUVs 1. "Can't acquire busy replica" seems OK if it disappears after a while. 2. "1 Unable to acquire replicaLDAP error: Can't contact LDAP" Probably worth investigating if ipa01- i2x.rsinc.local:389 and ipa01- jap.rsinc.local:389 still exist. If not then there is probably a dangling replication agreement for o=ipaca suffix. -- Petr Vobornik From mareynol at redhat.com Thu Jul 14 14:26:30 2016 From: mareynol at redhat.com (Mark Reynolds) Date: Thu, 14 Jul 2016 10:26:30 -0400 Subject: [Freeipa-users] Freeipa replication issue In-Reply-To: <38C784D32FB4354DAED01CCB1BB505351745C60F@mail01.firstderivatives.com> References: <38C784D32FB4354DAED01CCB1BB505351745C5E1@mail01.firstderivatives.com> <20160714133856.p2j66wsicr2hx7aj@redhat.com> <38C784D32FB4354DAED01CCB1BB505351745C60F@mail01.firstderivatives.com> Message-ID: <0f695d7e-b5d7-bed2-d72f-d4c617846189@redhat.com> On 07/14/2016 10:10 AM, Stefan Uygur wrote: > Hi Alexander, > Thanks for a quick reply first of all and to be honest actually I have tried that link too, it didn't work either. > > This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is RHEL 6 > > When I reproduce the last step of the instructions you provided: > > ldappasswd -h localhost -ZZ -p 389 -x -D "cn=Directory Manager" -W -T dm_password > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > Or trying this one (because I am not sure if I have dogtag 10): > > ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -T dm_password > Enter LDAP Password: > Result: No such object (32) > Additional info: No such Entry exists. The problem here is that "cn=directory manager" does not exist in a database. It only exists in the cn=config entry, so ldappasswd will not work. You must follow this process: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/dirmnger-pwd.html#dirmnger-pwd-Resetting_Passwords But I'm not sure if your problem is the directory manager account though. You need to look through the Directory Server access log for "err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see which BIND dn is failing. It could be a different user/account. Mark > > I couldn't figure out clearly, your help much appreciated wherever you can. > > Many thanks > > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: 14 July 2016 14:39 > To: Stefan Uygur > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Freeipa replication issue > > On Thu, 14 Jul 2016, Stefan Uygur wrote: >> Hi All, >> Sorry if this would appear to be an obvious issue and maybe someone has >> already discussed about it but I couldn't get anywhere information >> about how to resolve this issue that I am experiencing. >> >> Basically I have an IPA master server where the admin password was >> originally the same as Directory Manager password, within months the >> admin password was changed and DM left as it was. >> >> But I have followed the instructions given in below link to reset DM >> password: >> >> https://www.centos.org/docs/5/html/CDS/install/8.0/Installation_Guide-C >> ommon_Usage-Resetting_Passwords.html > This is incorrect document as it is not relevant to IPA. > > Use http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > >> Which I have tested after the reset using ldapsearch and it seems to be >> working perfectly. >> >> But when I try to prepare the replica it keep telling me that is wrong >> password as per below: >> >> ipa-replica-prepare ipa2.example.com --ip-address 10.0.0.3 Directory >> Manager (existing master) password: >> The password provided is incorrect for LDAP server ipa1.example.com >> >> >> Usint the following to test the DM password: >> >> ldapsearch -x -D "cn=directory manager" -w DM_PASSWD base -b "" "objectclass=*" >> >> Which gives me the correct result, long output.....but again, when I >> try to prepare replica still getting wrong password. > There are more places where DM password is used for replica. You changed it only 389-ds but didn't change other places. Use instructions above. > > > -- > / Alexander Bokovoy > From pvoborni at redhat.com Thu Jul 14 14:40:56 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 14 Jul 2016 16:40:56 +0200 Subject: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment In-Reply-To: References: Message-ID: <375f7afa-d065-207b-6956-5c0f30ea1cd4@redhat.com> On 07/14/2016 07:13 AM, Grant Wu wrote: > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a > pain point for quite some time. I've heard that FreeIPA might be a solution > worth exploring. > > I would like to try to avoid user visible disruption if possible, however. This > means that we would like to keep our Kerberos realm name, keep AFS cross-realm > authentication working, etc. UIDs remaining the same would be good; I'd have to > think about Users and groups can be migrated by `ipa migrate-ds` command. It allows you to keep UIDs and GIDs but one must make sure that IPA servers are configured to issue new UIDs and GIDs which doesn't overlap with the migrated ones. There are options in ipa-server-install and ipa-replica-manage tools for that. This can be evaluated in an isolated network against a clone of your LDAP server. Cross realm trust with AFS is a challenge though. IPA now supports only cross realm trust with Active Directory. Trusts with other general KDCs are not yet supported. Other migration challenge might be migration of services. It is not done by the above mentioned `ipa migrate-ds`. When the service accounts are added to IPA, you would have to obtain new keytabs for the services. > > Essentially all of our clients are various flavors of Debian; mostly Jessie (we > have an unfortunate number of older machines that I hope to upgrade soon). A possibility is to use SSSD as client on Debian. > > Has anyone done something like this before? Anyone have any ideas what the > migration path would look like or whether this is even possible? > > Thanks, > > Grant Wu > grantwu at andrew.cmu.edu > -- Petr Vobornik From pvoborni at redhat.com Thu Jul 14 14:58:25 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 14 Jul 2016 16:58:25 +0200 Subject: [Freeipa-users] named-pkcs11 fails on new ipa replica In-Reply-To: <6c32983d-386a-7915-8949-74d55253cff4@jackland.demon.co.uk> References: <6c32983d-386a-7915-8949-74d55253cff4@jackland.demon.co.uk> Message-ID: <0a1a5073-f436-a6b8-d4d3-5834c7110f52@redhat.com> On 07/13/2016 08:51 PM, Bob Hinton wrote: > Hi, > > We are trying to create a new replica on RHEL 7.2 > > This completes but named-pkcs11 fails to start - > > systemctl status named-pkcs11.service > ? named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native > PKCS#11 > Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; > disabled; vendor preset: disabled) > Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; > 51min ago > Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS > (code=exited, status=1/FAILURE) > Process: 25910 ExecStartPre=/bin/bash -c if [ ! > "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z > /etc/named.conf; else echo "Checking of zone files is disabled"; fi > (code=exited, status=0/SUCCESS) > > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. > Support and training for BIND 9 are > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at > https://www.isc.org/support > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: > ---------------------------------------------------- > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on > open files from 4096 to 1048576 > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, > using 1 worker thread > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP > listener per interface > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: > control process exited, code=exited status=1 > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley > Internet Name Domain (DNS) with native PKCS#11. > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service > entered failed state. > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. > > # /usr/sbin/named-pkcs11 -d 9 -g > 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g > 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' > '--host=x86_64-redhat-linux-gnu' '--program-prefix=' > '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' > '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' > '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' > '--localstatedir=/var' '--enable-threads' '--enable-ipv6' > '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--enable-exportlib' > '--with-export-libdir=/usr/lib64' > '--with-export-includedir=/usr/include' > '--includedir=/usr/include/bind9' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' > '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' > '--disable-isc-spnego' '--enable-fixed-rrset' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong > --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' > 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' > 13-Jul-2016 19:31:01.283 > ---------------------------------------------------- > 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems > Consortium, > 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit > 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are > 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support > 13-Jul-2016 19:31:01.284 > ---------------------------------------------------- > 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 > 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread > 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface > 13-Jul-2016 19:31:01.284 using up to 4096 sockets > 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver > 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' > 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' > 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed > 13-Jul-2016 19:31:01.287 exiting (due to fatal error) > > # tail -2 /var/log > > Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: > ObjectStore.cpp(59): Failed to enumerate object store in > /var/lib/softhsm/tokens/ > > Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): > Could not load the object store > > I've tried "ipa-server-upgrade" and > > mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD > > ipa-dns-install > > But I haven't managed to fix it. > > Using "ipactl start -f" means the rest of the ipa services seem to work > properly, but without named. > > Is there a way to fix the named issue or is it much simpler to > disconnect the replica, uninstall it and start again ? > > Thanks > > Bob Hinton > Hi Bob, what is the version of you IPA packages? Do you use the latest update? Sounds like an issue which should be fixed in ipa-server-4.2.0-15.el7_2.5.x86_64 what is your umask settings? The issue happend when there was umask set to 077 and then the softhsm dir was created with incorrect permissions. -- Petr Vobornik From pvoborni at redhat.com Thu Jul 14 15:22:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 14 Jul 2016 17:22:33 +0200 Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) In-Reply-To: <89213DDB84447F44A8E8950A5C2185E04825FACC@SJN01013.jnmain00.corp.jndata.net> References: <89213DDB84447F44A8E8950A5C2185E04825FACC@SJN01013.jnmain00.corp.jndata.net> Message-ID: <9bb5c659-e739-12fc-0f8b-4635fbb5d21d@redhat.com> On 07/14/2016 07:18 AM, Bjarne Blichfeldt wrote: > Well, I just had the same problem, but in my case I also tried to install a ca: > > ?ipa-replica-install --setup-ca ?..? > > Without ?--set-up? the installation succeeded. > > Regards, > > Bjarne > The error below is not related to CA. It tries to check that new replica's ldap service principal was replica to master server. The principal is not replicated there and after 60 attemps it fails. What is your replication topology? Could it be that other replicas are keeping this master busy? Does installation against other replica work? Could you provide dirsrv error log of the master from the time of installation? > > > *From:*Devin Acosta [mailto:linuxguru.co at gmail.com] > *Sent:* 12. juli 2016 21:35 > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) > > I am trying to add a 4th replica to my FreeIPA installation. I am running the > latest CentOS 7.2 (full updates) and i have tried multiple times and fails every > time in same location. When it fails I remove the replication agreements and try > again and keeps failing in same location. > > [root at ipa03-aws centos]# ipa-replica-install replica-info-ipa03-aws.rsinc.local.gpg > > WARNING: conflicting time&date synchronization service 'chronyd' will > > be disabled in favor of ntpd > > Directory Manager (existing master) password: > > Run connection check to master > > Check connection from replica to remote master 'ipa01-aws.rsinc.local': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > The following list of ports use UDP protocol and would need to be > > checked manually: > > Kerberos KDC: UDP (88): SKIPPED > > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > admin at RSINC.LOCAL password: > > Check SSH connection to remote master > > Execute check on remote master > > Check connection from master to remote replica 'ipa03-aws.rsinc.local': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos KDC: UDP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > Kerberos Kpasswd: UDP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > Connection from master to replica is OK. > > Connection check OK > > Configuring NTP daemon (ntpd) > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > Done configuring NTP daemon (ntpd). > > Configuring directory server (dirsrv). Estimated time: 1 minute > > [1/38]: creating directory server user > > [2/38]: creating directory server instance > > [3/38]: adding default schema > > [4/38]: enabling memberof plugin > > [5/38]: enabling winsync plugin > > [6/38]: configuring replication version plugin > > [7/38]: enabling IPA enrollment plugin > > [8/38]: enabling ldapi > > [9/38]: configuring uniqueness plugin > > [10/38]: configuring uuid plugin > > [11/38]: configuring modrdn plugin > > [12/38]: configuring DNS plugin > > [13/38]: enabling entryUSN plugin > > [14/38]: configuring lockout plugin > > [15/38]: creating indices > > [16/38]: enabling referential integrity plugin > > [17/38]: configuring ssl for ds instance > > [18/38]: configuring certmap.conf > > [19/38]: configure autobind for root > > [20/38]: configure new location for managed entries > > [21/38]: configure dirsrv ccache > > [22/38]: enable SASL mapping fallback > > [23/38]: restarting directory server > > [24/38]: setting up initial replication > > Starting replication, please wait until this has completed. > > Update in progress, 4 seconds elapsed > > Update succeeded > > [25/38]: updating schema > > [26/38]: setting Auto Member configuration > > [27/38]: enabling S4U2Proxy delegation > > [28/38]: importing CA certificates from LDAP > > [29/38]: initializing group membership > > [30/38]: adding master entry > > [31/38]: initializing domain level > > [32/38]: configuring Posix uid/gid generation > > [33/38]: adding replication acis > > [34/38]: enabling compatibility plugin > > [35/38]: activating sidgen plugin > > [36/38]: activating extdom plugin > > [37/38]: tuning directory server > > [38/38]: configuring directory to start on boot > > Done configuring directory server (dirsrv). > > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > > [1/8]: adding sasl mappings to the directory > > [2/8]: configuring KDC > > [3/8]: creating a keytab for the directory > > [4/8]: creating a keytab for the machine > > [5/8]: adding the password extension to the directory > > [6/8]: enable GSSAPI for replication > > [error] RuntimeError: One of the ldap service principals is missing. > Replication agreement cannot be converted. > > Replication error message: Can't acquire busy replica > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap > service principals is missing. Replication agreement cannot be converted. > > Replication error message: Can't acquire busy replica > > Please see attached file for the full log file. > > Any help would be appreciated! > > > -- Petr Vobornik From linuxguru.co at gmail.com Thu Jul 14 15:35:20 2016 From: linuxguru.co at gmail.com (Devin Acosta) Date: Thu, 14 Jul 2016 08:35:20 -0700 Subject: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl In-Reply-To: References: Message-ID: ipa01-jap was a host that is no more, is there a simple way to clear these replication agreements to clean it up? On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik wrote: > On 07/14/2016 12:57 PM, Martin Kosek wrote: > > On 07/13/2016 04:24 AM, Devin Acosta wrote: > >> > >> I was trying to create another Replica but then noticed it was > constantly having > >> issues trying to finish the joining of the replication. I then ran the > command: > >> repl-monitor.pl , It appears i have several > replicaid's > >> and they seem to be having issues, wondering if this is adding to my > issue. > >> > >> Anyone know how I can resolve this issue and clean up the replication??? > >> > >> See attached Screenshot. > > > > I wonder if cleaning RUVs help: > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/trouble-replica.html#trouble-repl-cleanruv > > > > dangling RUVs > > 1. "Can't acquire busy replica" > seems OK if it disappears after a while. > > 2. "1 Unable to acquire replicaLDAP error: Can't contact LDAP" > Probably worth investigating if ipa01- > i2x.rsinc.local:389 and ipa01- > jap.rsinc.local:389 still exist. If not then there is probably a > dangling replication agreement for o=ipaca suffix. > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Thu Jul 14 16:42:49 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 14 Jul 2016 18:42:49 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: References: <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> <20160714104943.GG19244@10.4.128.1> <20160714113245.GH19244@10.4.128.1> Message-ID: <20160714164248.GA29266@10.4.128.1> On (14/07/16 13:52), Tomas Simecek wrote: >Hi Lukas, >sorry to say, but nothing helps. > >I have just updated IPA server, so that now it is: >[root at svlxxipap ~]# cat /etc/redhat-release >CentOS Linux release 7.2.1511 (Core) > >with: >[root at svlxxipap ~]# rpm -qa|grep ipa >ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 >libipa_hbac-1.13.0-40.el7_2.9.x86_64 >ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 >ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 >python-iniparse-0.4-9.el7.noarch >ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 >sssd-ipa-1.13.0-40.el7_2.9.x86_64 >ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 >python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 >ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 > It has to work with IPA on CentOS 7.2 and sssd-1.13.3-22.el6_8.4 on client. >I have also changed sudoers to sudo in sssd.conf as you suggested and >restarted sssd. >No difference, still: >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart >[sudo] password for simecek.tomas at sd-stc.cz: >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will be >reported. > >I guess I will pilot some more IPA clients to make sure it works reliably >and if yes, I guess we will be able to live with the fact that older >Linuxes doe not offer sudo to AD clients. > I assume you meant AD users from trust. But previously, you provided data and user was member of group which should be alowed to use sudo rules. I would like to find out why sudo rules were not fetched from IPA. I would like to see full log file + dump of sssd cache. Please: * clean cache and log files on *IPA server* rm -f /var/lib/sss/db/* /var/log/sssd/* * enable debug_level=9 in domain section and sudo * restart sssd on *IPA server* * clean cache and log files on *IPA client* rm -f /var/lib/sss/db/* /var/log/sssd/* * enable debug_level=9 in domain section and sudo * restart sssd *IPA client* * authernticate with user simecek.tomas at sd-stc.cz * call id simecek.tomas at sd-stc.cz * try sudo. * send all sssd log files + sssd.conf * provide dump of sssd cache ldbsearch -H /var/lib/sss/db/cache_$domain.ldb (utility ldbsearch is part of package ldb-tools Please provide log files, sssd.conf and dump of sssd cache from client and also from IPA server. Thank you very much for patience. LS From simecek.tomas at gmail.com Thu Jul 14 17:32:34 2016 From: simecek.tomas at gmail.com (Tomas Simecek) Date: Thu, 14 Jul 2016 19:32:34 +0200 Subject: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0? In-Reply-To: <20160714164248.GA29266@10.4.128.1> References: <20160714071738.GA19244@10.4.128.1> <20160714083815.GC19244@10.4.128.1> <20160714102137.GE19244@10.4.128.1> <20160714104943.GG19244@10.4.128.1> <20160714113245.GH19244@10.4.128.1> <20160714164248.GA29266@10.4.128.1> Message-ID: Hi Lukas, thanks, I see you're really trying to help. Log files are attached. 2016-07-14 18:42 GMT+02:00 Lukas Slebodnik : > On (14/07/16 13:52), Tomas Simecek wrote: > >Hi Lukas, > >sorry to say, but nothing helps. > > > >I have just updated IPA server, so that now it is: > >[root at svlxxipap ~]# cat /etc/redhat-release > >CentOS Linux release 7.2.1511 (Core) > > > >with: > >[root at svlxxipap ~]# rpm -qa|grep ipa > >ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 > >libipa_hbac-1.13.0-40.el7_2.9.x86_64 > >ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 > >ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 > >python-iniparse-0.4-9.el7.noarch > >ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 > >sssd-ipa-1.13.0-40.el7_2.9.x86_64 > >ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 > >python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 > >ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 > > > It has to work with IPA on CentOS 7.2 > and sssd-1.13.3-22.el6_8.4 on client. > > >I have also changed sudoers to sudo in sssd.conf as you suggested and > >restarted sssd. > >No difference, still: > >[simecek.tomas at sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart > >[sudo] password for simecek.tomas at sd-stc.cz: > >simecek.tomas at sd-stc.cz is not in the sudoers file. This incident will > be > >reported. > > > >I guess I will pilot some more IPA clients to make sure it works reliably > >and if yes, I guess we will be able to live with the fact that older > >Linuxes doe not offer sudo to AD clients. > > > I assume you meant AD users from trust. > > But previously, you provided data and user was member of group which > should be alowed to use sudo rules. > > I would like to find out why sudo rules were not fetched from IPA. > > I would like to see full log file + dump of sssd cache. > Please: > * clean cache and log files on *IPA server* > rm -f /var/lib/sss/db/* /var/log/sssd/* > * enable debug_level=9 in domain section and sudo > * restart sssd on *IPA server* > > * clean cache and log files on *IPA client* > rm -f /var/lib/sss/db/* /var/log/sssd/* > * enable debug_level=9 in domain section and sudo > * restart sssd *IPA client* > > > * authernticate with user simecek.tomas at sd-stc.cz > * call id simecek.tomas at sd-stc.cz > * try sudo. > > * send all sssd log files + sssd.conf > * provide dump of sssd cache > ldbsearch -H /var/lib/sss/db/cache_$domain.ldb > (utility ldbsearch is part of package ldb-tools > > > Please provide log files, sssd.conf and dump of sssd cache > from client and also from IPA server. > > Thank you very much for patience. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: client.tgz Type: application/x-gzip Size: 72969 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: server.tgz Type: application/x-gzip Size: 121645 bytes Desc: not available URL: From linuxguru.co at gmail.com Thu Jul 14 20:16:13 2016 From: linuxguru.co at gmail.com (Devin Acosta) Date: Thu, 14 Jul 2016 13:16:13 -0700 Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) In-Reply-To: <9bb5c659-e739-12fc-0f8b-4635fbb5d21d@redhat.com> References: <89213DDB84447F44A8E8950A5C2185E04825FACC@SJN01013.jnmain00.corp.jndata.net> <9bb5c659-e739-12fc-0f8b-4635fbb5d21d@redhat.com> Message-ID: When i tried to create the replica from another server, it fails giving me this? [root at ipa02-aws ~]# ipa-replica-prepare ipa03-aws.rsinc.local --ip-address 10.40.x.x Directory Manager (existing master) password: If you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well. The replica must be created on the primary IPA server. On Thu, Jul 14, 2016 at 8:22 AM, Petr Vobornik wrote: > On 07/14/2016 07:18 AM, Bjarne Blichfeldt wrote: > > Well, I just had the same problem, but in my case I also tried to > install a ca: > > > > ?ipa-replica-install --setup-ca ?..? > > > > Without ?--set-up? the installation succeeded. > > > > Regards, > > > > Bjarne > > > > The error below is not related to CA. > > It tries to check that new replica's ldap service principal was replica > to master server. The principal is not replicated there and after 60 > attemps it fails. > > What is your replication topology? Could it be that other replicas are > keeping this master busy? > > Does installation against other replica work? > > Could you provide dirsrv error log of the master from the time of > installation? > > > > > > > *From:*Devin Acosta [mailto:linuxguru.co at gmail.com] > > *Sent:* 12. juli 2016 21:35 > > *To:* freeipa-users at redhat.com > > *Subject:* [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) > > > > I am trying to add a 4th replica to my FreeIPA installation. I am > running the > > latest CentOS 7.2 (full updates) and i have tried multiple times and > fails every > > time in same location. When it fails I remove the replication agreements > and try > > again and keeps failing in same location. > > > > [root at ipa03-aws centos]# ipa-replica-install > replica-info-ipa03-aws.rsinc.local.gpg > > > > WARNING: conflicting time&date synchronization service 'chronyd' will > > > > be disabled in favor of ntpd > > > > Directory Manager (existing master) password: > > > > Run connection check to master > > > > Check connection from replica to remote master 'ipa01-aws.rsinc.local': > > > > Directory Service: Unsecure port (389): OK > > > > Directory Service: Secure port (636): OK > > > > Kerberos KDC: TCP (88): OK > > > > Kerberos Kpasswd: TCP (464): OK > > > > HTTP Server: Unsecure port (80): OK > > > > HTTP Server: Secure port (443): OK > > > > The following list of ports use UDP protocol and would need to be > > > > checked manually: > > > > Kerberos KDC: UDP (88): SKIPPED > > > > Kerberos Kpasswd: UDP (464): SKIPPED > > > > Connection from replica to master is OK. > > > > Start listening on required ports for remote master check > > > > Get credentials to log in to remote master > > > > admin at RSINC.LOCAL password: > > > > Check SSH connection to remote master > > > > Execute check on remote master > > > > Check connection from master to remote replica 'ipa03-aws.rsinc.local': > > > > Directory Service: Unsecure port (389): OK > > > > Directory Service: Secure port (636): OK > > > > Kerberos KDC: TCP (88): OK > > > > Kerberos KDC: UDP (88): OK > > > > Kerberos Kpasswd: TCP (464): OK > > > > Kerberos Kpasswd: UDP (464): OK > > > > HTTP Server: Unsecure port (80): OK > > > > HTTP Server: Secure port (443): OK > > > > Connection from master to replica is OK. > > > > Connection check OK > > > > Configuring NTP daemon (ntpd) > > > > [1/4]: stopping ntpd > > > > [2/4]: writing configuration > > > > [3/4]: configuring ntpd to start on boot > > > > [4/4]: starting ntpd > > > > Done configuring NTP daemon (ntpd). > > > > Configuring directory server (dirsrv). Estimated time: 1 minute > > > > [1/38]: creating directory server user > > > > [2/38]: creating directory server instance > > > > [3/38]: adding default schema > > > > [4/38]: enabling memberof plugin > > > > [5/38]: enabling winsync plugin > > > > [6/38]: configuring replication version plugin > > > > [7/38]: enabling IPA enrollment plugin > > > > [8/38]: enabling ldapi > > > > [9/38]: configuring uniqueness plugin > > > > [10/38]: configuring uuid plugin > > > > [11/38]: configuring modrdn plugin > > > > [12/38]: configuring DNS plugin > > > > [13/38]: enabling entryUSN plugin > > > > [14/38]: configuring lockout plugin > > > > [15/38]: creating indices > > > > [16/38]: enabling referential integrity plugin > > > > [17/38]: configuring ssl for ds instance > > > > [18/38]: configuring certmap.conf > > > > [19/38]: configure autobind for root > > > > [20/38]: configure new location for managed entries > > > > [21/38]: configure dirsrv ccache > > > > [22/38]: enable SASL mapping fallback > > > > [23/38]: restarting directory server > > > > [24/38]: setting up initial replication > > > > Starting replication, please wait until this has completed. > > > > Update in progress, 4 seconds elapsed > > > > Update succeeded > > > > [25/38]: updating schema > > > > [26/38]: setting Auto Member configuration > > > > [27/38]: enabling S4U2Proxy delegation > > > > [28/38]: importing CA certificates from LDAP > > > > [29/38]: initializing group membership > > > > [30/38]: adding master entry > > > > [31/38]: initializing domain level > > > > [32/38]: configuring Posix uid/gid generation > > > > [33/38]: adding replication acis > > > > [34/38]: enabling compatibility plugin > > > > [35/38]: activating sidgen plugin > > > > [36/38]: activating extdom plugin > > > > [37/38]: tuning directory server > > > > [38/38]: configuring directory to start on boot > > > > Done configuring directory server (dirsrv). > > > > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > > > > [1/8]: adding sasl mappings to the directory > > > > [2/8]: configuring KDC > > > > [3/8]: creating a keytab for the directory > > > > [4/8]: creating a keytab for the machine > > > > [5/8]: adding the password extension to the directory > > > > [6/8]: enable GSSAPI for replication > > > > [error] RuntimeError: One of the ldap service principals is missing. > > Replication agreement cannot be converted. > > > > Replication error message: Can't acquire busy replica > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap > > service principals is missing. Replication agreement cannot be converted. > > > > Replication error message: Can't acquire busy replica > > > > Please see attached file for the full log file. > > > > Any help would be appreciated! > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jstephen at redhat.com Thu Jul 14 21:04:57 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Thu, 14 Jul 2016 17:04:57 -0400 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> Message-ID: Hello Daniel, Just to clarify the issue: user 'a.cri.dsullivan at bsdad.uchicago.edu' is a member of IDM POSIX group 'cri-cri_server_administrators_ipa' which is linked to the external group used for the AD trust. The following HBAC rule is not working to allow SSH access [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all' Rule name: cri-cri_server_administrators_allow_all Host category: all Service category: all Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine Enabled: TRUE User Groups: cri-cri_server_administrators_ipa ================================================== During the HBAC processing, sssd checks which groups are associated with the HBAC rule and adds those groups(just the 'cri-cri_server_administrators_ipa' group in this case) to the memberUser attribute of the HBAC rule sysdb entry. (Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_attrs_to_rule] (0x1000): Processing rule [cri-cri_server_administrators_allow_all] (Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=cri-cri_server_administrators_ipa,cn=groups,cn=accounts,dc=ipa,dc=cri,dc=uchicago,dc=edu)) (Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [cri-cri_server_administrators_ipa] to rule [cri-cri_server_administrators_allow_all] The hbac evaluation reads the originalMemberof attribute of 'a.cri.dsullivan at bsdad.uchicago.edu' to assess the groups which HBAC should match with (Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_eval_user_element] (0x1000): [30] groups for [a.cri.dsullivan at bsdad.uchicago.edu] With debug logging enabled we should see a message such as the following when the group is found, but we don't see that in your log output: [hbac_eval_user_element] Added group [cri-cri_server_administrators_ipa] for user [a.cri.dsullivan at bsdad.uchicago.edu] We need to understand why this group is being removed from the sysdb, as you said the group does not return in id command output after the SSH attempt. It would be great to get full sssd debug logs and a dump of the sssd sysdb cache after the first 'id' command is run, and then after the SSH attempt is made when the group no longer shows. Note the ldbsearch command is included in the 'ldb-tools' rpm For example: ldbsearch -H /var/lib/sss/db/cache_.ldb > ldbsearch-first-id-command.ldb ldbsearch -H /var/lib/sss/db/cache_.ldb > ldbsearch-after-ssh-attempt.ldb Kind regards, Justin Stephenson On 07/13/2016 03:14 PM, Sullivan, Daniel [AAA] wrote: > Jakub, Justin, > > Thank you both very much for taking the time to continue helping me resolve this issue. I apologize for not replying right away; I?ve been dealing with a production issue for most of the morning. > > An invocation of ?id a.cri.dsullivan at bsdad.uchicago.edu? on the IPA DC shows me as a member of the POSIX IPA group (cri_server_administrators_ipa at ipa.cri.uchicago.edu) as well as the AD domain group in the trusted domain (cri-aaa_server_administrators at bsdad.uchicago.edu). This remains consistent across any number of successful sshd logins into the DC using my a.cri.dsullivan at bsdad.uchicago.edu account, including after clearing the cache on the DC. > > On the client, I am seeing some unusual behavior. If I run the commands 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/* ; service sssd start? , then run ?id a.cri.dsullivan at bsdad.uchicago.edu?, I see the POSIX IPA group as well as the AD domain group as described above (what I presumably want and expect). However (and this is the unusual part), if I attempt to login via SSH (it will fail with HBAC validation), and then run the ?id a.cri.dsullivan at bsdad.uchicago.edu? command again , the POSIX IPA group disappears from the list of groups output by the id command. From what I can tell, this group will not reappear in the group list on the client until the client cache is cleared. Presumably this behavior is related to the HBAC authentication errors I am experiencing. I have cleared the cache on both the DC and the client using ssh_cache -E and this behavior is still exhibited. With respect to output from testing: > > 1) The sssd domain log from from the client of the initial id invocation (both groups appear) after clearing the cache (on the client) can be found here (this output contains both groups): https://gist.github.com/dsulli99/7117f8d567cc7cdf727d474b0aeab8da > 2) The sssd domain log from the client for the failed sshd login (similar to the output I provided yesterday, however re-captured) can be found here (after this operation the IPA group disappears from the list of groups from the id command): https://gist.github.com/dsulli99/668a8799709ff0cd311b321206591124 > 3) The DC log (after the client cache is cleared) of my running the id invocation (from the client) can be found here (this is the DC side of 1) from above. https://gist.github.com/dsulli99/a2a5e80b6a8b143afa20024aa40a7b39 > 4) The DC log of the the failed sshd login into the client (this is the DC side of 2) from above is https://gist.github.com/dsulli99/4e3ba53c942ad78d7487ae51da92007e > > I really appreciate your help with looking at this issue. As I said I have another machine built from the same image that this is working fine on. I am going to keep plugging away at this, I will let you know if I come up with anything. > > Dan > > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to which > it is addressed and may contain information that is privileged and confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > ******************************************************************************** > From dsullivan2 at bsd.uchicago.edu Thu Jul 14 21:13:46 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Thu, 14 Jul 2016 21:13:46 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <32CCB7A7-5B2F-4165-B9F8-8F4A325D0AE7@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <32CCB7A7-5B2F-4165-B9F8-8F4A325D0AE7@bsd.uchicago.edu> Message-ID: Hi, I wanted to follow up on this thread in case others are experiencing this problem. Installing SSSD 1.14 from the copr repository seems to have completely eliminated the HBAC issue on all systems that were exhibiting the problem as previously described. https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/ Also, FWIW thank you for fixing this (unrelated): https://fedorahosted.org/sssd/ticket/2838 Thank you to everybody who helped with this. Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Thu Jul 14 21:23:58 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Thu, 14 Jul 2016 21:23:58 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> Message-ID: <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> Justin, Thank you for taking the time to reply to me; I really appreciate your willingness to help. Upgrading to sssd1.14 (from the copr repo) on the client seems to have fixed this problem across the board. I don?t have a system that is currently broken to capture this data, but if it is important for you to have the log data to try and resolve this bug I could try to obtain it for you by purposely try to induce the issue by upgrading another system and hoping the bug presents itself, and then capture the data. Please advise if you would like me to attempt this. I was really frustrated by this bug and am happy that I can consider this issue resolved. Please let me know if you would like me to try and capture the data as you described. Best, Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From datakid at gmail.com Thu Jul 14 23:45:38 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 15 Jul 2016 09:45:38 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: On 14 July 2016 at 17:44, Sumit Bose wrote: > On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > > > Installed Packages > > Name : ipa-server > > Arch : x86_64 > > Version : 4.2.0 > > Release : 15.0.1.el7.centos.17 > > Size : 5.0 M > > Repo : installed > > >From repo : updates > > Summary : The IPA authentication server > > > > > > Successfully joined in one way trust to AD. > > > > Successfully have added hosts (Centos 7, sssd 1.13.0). > > > > > > [root at vmpr-linuxidm ~]# ipa hbacrule-find > > -------------------- > > 5 HBAC rules matched > > -------------------- > > > > Rule name: allow_all > > User category: all > > Host category: all > > Service category: all > > Description: Allow all users to access any host from any host > > Enabled: FALSE > > > > ... > > > > Rule name: ssh to galaxy > > Service category: all > > Description: Allows ssh to galaxy server > > Enabled: TRUE > > User Groups: ad_users > > Hosts: papr-res-galaxy.unix.petermac.org.au > > > > > > > > > > With allow_all HBAC rule enabled, can login every time with > > > > ssh user at ad_domain@unix_host > > > > If I implement a HBAC rule "ssh to galaxy" as per above, with: > > > > ad_users is a POSIX group with a GID. It has one member, the group > > > > ad_external an external group with a single, external, member > > > > pmc-res-ipausers at petermac.org.au > > > > which is an AD group containing all the users that should have access to > > the host. > > > > > > With allow_all disabled and "ssh to galaxy" enabled, some users can login > > and some can't. There is no discernable pattern that might explain why > some > > are discriminated against. > > > > Here is the test from the server: > > > > [root at vmpr-linuxidm ~]# ipa hbactest --user=sandsjordan at petermac.org.au > > --host=papr-res-galaxy.unix.petermac.org.au --service=sshd > > -------------------- > > Access granted: True > > -------------------- > > Matched rules: ssh to galaxy > > Not matched rules: Computing Cluster > > Not matched rules: FACS Computing > > > > I've installed ipa-admintools on the host in question and got the same > > result. > > > > To be on the safe side/tick all boxes, I have cleared the cache on the > host > > in question: > > > > systemctl stop sssd > > sss_cache -E > > systemctl start sssd > > > > and confirmed success with a status check. > > > > When the user tries to login, it fails. > > > > Log is here: > > > > http://dpaste.com/0VAFNPH > > > > > > The top is where the negotiating starts to the best of my knowledge. > > > > The attempts fails, with no information that is useful to me: > > > > 230 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > > [hbac_get_category] (0x0200): Category is set to 'all'. > > 231 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [ssh > > to galaxy] > > 232 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [ssh > > to galaxy] > > 233 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] > > [hbac_eval_user_element] (0x1000): [3] groups for [ > > SandsJordan at petermac.org.au] > > According to the HBAC evaluation the user is a member of 3 groups. Is > this the expected number? > > Can you check if 'id SandsJordan at petermac.org.au' returns the expected > list of groups on the client and the IPA server? (The client does not > talk to AD directly only to the IPA server, so if something is already > missing on the server it cannot be seen on the client as well). > > No, this is incorrect. He belongs to 14 groups on both the FreeIPA server and the host in question. [root at vmpr-linuxidm ~]# id sandsjordan at petermac.org.au | tr "," "\n" | wc -l 14 [root at papr-res-galaxy ~]# id sandsjordan at petermac.org.au | tr "," "\n" | wc -l 14 > Can you send me the SSSD cache file from the client > /var/lib/sss/db/cache_unix.petermac.org.au.ldb after the login attempt? > Since it might contain password hashes you might want to remove > lines with 'cachedPassword' before > > Ok, off list. > bye, > Sumit > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Fri Jul 15 00:09:40 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 15 Jul 2016 10:09:40 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: AH. I'm seeing a lot of this now. hbac_eval_user_element is returning the wrong number of groups. I just found another instance in my logs : (Fri Jul 15 08:39:04 2016) [sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [23] groups for [SimpsonLachlan] IPA server [root at vmpr-linuxidm ~]# id simpsonlachlan at petermac.org.au | tr "," "\n" | wc -l 41 Host [root at papr-res-galaxy ~]# id simpsonlachlan at petermac.org.au | tr "," "\n" |wc -l 41 L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 09:45, Lachlan Musicman wrote: > > On 14 July 2016 at 17:44, Sumit Bose wrote: > >> On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: >> > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: >> > >> > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 >> > >> > Installed Packages >> > Name : ipa-server >> > Arch : x86_64 >> > Version : 4.2.0 >> > Release : 15.0.1.el7.centos.17 >> > Size : 5.0 M >> > Repo : installed >> > >From repo : updates >> > Summary : The IPA authentication server >> > >> > >> > Successfully joined in one way trust to AD. >> > >> > Successfully have added hosts (Centos 7, sssd 1.13.0). >> > >> > >> > [root at vmpr-linuxidm ~]# ipa hbacrule-find >> > -------------------- >> > 5 HBAC rules matched >> > -------------------- >> > >> > Rule name: allow_all >> > User category: all >> > Host category: all >> > Service category: all >> > Description: Allow all users to access any host from any host >> > Enabled: FALSE >> > >> > ... >> > >> > Rule name: ssh to galaxy >> > Service category: all >> > Description: Allows ssh to galaxy server >> > Enabled: TRUE >> > User Groups: ad_users >> > Hosts: papr-res-galaxy.unix.petermac.org.au >> > >> > >> > >> > >> > With allow_all HBAC rule enabled, can login every time with >> > >> > ssh user at ad_domain@unix_host >> > >> > If I implement a HBAC rule "ssh to galaxy" as per above, with: >> > >> > ad_users is a POSIX group with a GID. It has one member, the group >> > >> > ad_external an external group with a single, external, member >> > >> > pmc-res-ipausers at petermac.org.au >> > >> > which is an AD group containing all the users that should have access to >> > the host. >> > >> > >> > With allow_all disabled and "ssh to galaxy" enabled, some users can >> login >> > and some can't. There is no discernable pattern that might explain why >> some >> > are discriminated against. >> > >> > Here is the test from the server: >> > >> > [root at vmpr-linuxidm ~]# ipa hbactest --user=sandsjordan at petermac.org.au >> > --host=papr-res-galaxy.unix.petermac.org.au --service=sshd >> > -------------------- >> > Access granted: True >> > -------------------- >> > Matched rules: ssh to galaxy >> > Not matched rules: Computing Cluster >> > Not matched rules: FACS Computing >> > >> > I've installed ipa-admintools on the host in question and got the same >> > result. >> > >> > To be on the safe side/tick all boxes, I have cleared the cache on the >> host >> > in question: >> > >> > systemctl stop sssd >> > sss_cache -E >> > systemctl start sssd >> > >> > and confirmed success with a status check. >> > >> > When the user tries to login, it fails. >> > >> > Log is here: >> > >> > http://dpaste.com/0VAFNPH >> > >> > >> > The top is where the negotiating starts to the best of my knowledge. >> > >> > The attempts fails, with no information that is useful to me: >> > >> > 230 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >> > [hbac_get_category] (0x0200): Category is set to 'all'. >> > 231 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >> > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule >> [ssh >> > to galaxy] >> > 232 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >> > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule >> [ssh >> > to galaxy] >> > 233 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >> > [hbac_eval_user_element] (0x1000): [3] groups for [ >> > SandsJordan at petermac.org.au] >> >> According to the HBAC evaluation the user is a member of 3 groups. Is >> this the expected number? >> >> Can you check if 'id SandsJordan at petermac.org.au' returns the expected >> list of groups on the client and the IPA server? (The client does not >> talk to AD directly only to the IPA server, so if something is already >> missing on the server it cannot be seen on the client as well). >> >> > No, this is incorrect. He belongs to 14 groups on both the FreeIPA server > and the host in question. > > [root at vmpr-linuxidm ~]# id sandsjordan at petermac.org.au | tr "," "\n" | wc > -l > 14 > > [root at papr-res-galaxy ~]# id sandsjordan at petermac.org.au | tr "," "\n" | > wc -l > 14 > > > >> Can you send me the SSSD cache file from the client >> /var/lib/sss/db/cache_unix.petermac.org.au.ldb after the login attempt? >> Since it might contain password hashes you might want to remove >> lines with 'cachedPassword' before >> >> > > Ok, off list. > > > >> bye, >> Sumit >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Fri Jul 15 01:27:24 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 15 Jul 2016 11:27:24 +1000 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names Message-ID: Hey, While hunting this sssd/hbac/AD user problem, I noticed in the selinux_child.log a lot of errors that look like this: (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): could not cache file database (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): could not enter read-only section (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [get_seuser] (0x0020): Cannot query for galaxy (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): expected character ':', but found 'j' (/etc/selinux/targeted/modules/tmp//seusers.final: 10): ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): could not cache file database (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] (0x0020): could not enter read-only section (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [set_seuser] (0x0020): Cannot verify the SELinux user (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020): Cannot set SELinux login context. (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020): selinux_child failed! (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): selinux_child started. (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): context initialized (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): performing selinux operations (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): expected character ':', but found 'j' (/etc/selinux/targeted/modules/active//seusers.final: 10): ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): could not cache file database (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): could not enter read-only section (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [get_seuser] (0x0020): Cannot query for simpsonlachlan at petermac.org.au (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): expected character ':', but found 'j' (/etc/selinux/targeted/modules/tmp//seusers.final: 10): ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): could not cache file database (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] (0x0020): could not enter read-only section (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [set_seuser] (0x0020): Cannot verify the SELinux user (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020): Cannot set SELinux login context. (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020): selinux_child failed! (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): selinux_child started. (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): context initialized (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): performing selinux operations (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] (0x0020): expected character ':', but found 'j' (/etc/selinux/targeted/modules/active//seusers.final: 10): ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] (0x0020): could not cache file database (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] (0x0020): could not enter read-only section (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [get_seuser] (0x0020): Cannot query for madhamshettiwar piyu at petermac.org.au (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] (0x0020): expected character ':', but found 'j' (/etc/selinux/targeted/modules/tmp//seusers.final: 10): We have SELinux disabled on all of our servers, but we hadn't disabled this check in sssd.conf. So we enabled it in sssd.conf and everything worked fine. But it should be noted that this check seems to be failing on a space in the AD user names. (I know, spaces in user names is weird, wrong and embarrassing, but it's not my department. A fantastic example of Technical Debt and why project planning and testing are best done before implementation.) cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Fri Jul 15 02:56:39 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 15 Jul 2016 12:56:39 +1000 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names In-Reply-To: References: Message-ID: This line: We have SELinux disabled on all of our servers, but we hadn't disabled this check in sssd.conf. So we enabled it in sssd.conf and everything worked fine. Should read that we *disabled* selinux. selinux_provider = none Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 11:27, Lachlan Musicman wrote: > Hey, > > While hunting this sssd/hbac/AD user problem, I noticed in the > selinux_child.log a lot of errors that look like this: > > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [get_seuser] > (0x0020): Cannot query for galaxy > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [set_seuser] > (0x0020): Cannot verify the SELinux user > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020): > Cannot set SELinux login context. > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020): > selinux_child failed! > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): > selinux_child started. > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): > context initialized > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): > performing selinux operations > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/active//seusers.final: 10): > ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [get_seuser] > (0x0020): Cannot query for simpsonlachlan at petermac.org.au > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [set_seuser] > (0x0020): Cannot verify the SELinux user > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020): > Cannot set SELinux login context. > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020): > selinux_child failed! > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): > selinux_child started. > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): > context initialized > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): > performing selinux operations > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/active//seusers.final: 10): > ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [get_seuser] > (0x0020): Cannot query for madhamshettiwar piyu at petermac.org.au > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > > > > We have SELinux disabled on all of our servers, but we hadn't disabled > this check in sssd.conf. So we enabled it in sssd.conf and everything > worked fine. > > But it should be noted that this check seems to be failing on a space in > the AD user names. > > (I know, spaces in user names is weird, wrong and embarrassing, but it's > not my department. A fantastic example of Technical Debt and why project > planning and testing are best done before implementation.) > > cheers > L. > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Fri Jul 15 03:07:00 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 15 Jul 2016 13:07:00 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: I've updated all the relevant hosts and the FreeIPA server to the COPR sssd 1.14.0 release and the problem seems to have disappeared. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 10:09, Lachlan Musicman wrote: > AH. I'm seeing a lot of this now. > > hbac_eval_user_element is returning the wrong number of groups. > > I just found another instance in my logs : > > (Fri Jul 15 08:39:04 2016) [sssd[be[unix.petermac.org.au]]] > [hbac_eval_user_element] (0x1000): [23] groups for [SimpsonLachlan] > > > IPA server > [root at vmpr-linuxidm ~]# id simpsonlachlan at petermac.org.au | tr "," "\n" | > wc -l > 41 > > Host > [root at papr-res-galaxy ~]# id simpsonlachlan at petermac.org.au | tr "," "\n" > |wc -l > 41 > > > L. > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 15 July 2016 at 09:45, Lachlan Musicman wrote: > >> >> On 14 July 2016 at 17:44, Sumit Bose wrote: >> >>> On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: >>> > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: >>> > >>> > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 >>> > >>> > Installed Packages >>> > Name : ipa-server >>> > Arch : x86_64 >>> > Version : 4.2.0 >>> > Release : 15.0.1.el7.centos.17 >>> > Size : 5.0 M >>> > Repo : installed >>> > >From repo : updates >>> > Summary : The IPA authentication server >>> > >>> > >>> > Successfully joined in one way trust to AD. >>> > >>> > Successfully have added hosts (Centos 7, sssd 1.13.0). >>> > >>> > >>> > [root at vmpr-linuxidm ~]# ipa hbacrule-find >>> > -------------------- >>> > 5 HBAC rules matched >>> > -------------------- >>> > >>> > Rule name: allow_all >>> > User category: all >>> > Host category: all >>> > Service category: all >>> > Description: Allow all users to access any host from any host >>> > Enabled: FALSE >>> > >>> > ... >>> > >>> > Rule name: ssh to galaxy >>> > Service category: all >>> > Description: Allows ssh to galaxy server >>> > Enabled: TRUE >>> > User Groups: ad_users >>> > Hosts: papr-res-galaxy.unix.petermac.org.au >>> > >>> > >>> > >>> > >>> > With allow_all HBAC rule enabled, can login every time with >>> > >>> > ssh user at ad_domain@unix_host >>> > >>> > If I implement a HBAC rule "ssh to galaxy" as per above, with: >>> > >>> > ad_users is a POSIX group with a GID. It has one member, the group >>> > >>> > ad_external an external group with a single, external, member >>> > >>> > pmc-res-ipausers at petermac.org.au >>> > >>> > which is an AD group containing all the users that should have access >>> to >>> > the host. >>> > >>> > >>> > With allow_all disabled and "ssh to galaxy" enabled, some users can >>> login >>> > and some can't. There is no discernable pattern that might explain why >>> some >>> > are discriminated against. >>> > >>> > Here is the test from the server: >>> > >>> > [root at vmpr-linuxidm ~]# ipa hbactest --user= >>> sandsjordan at petermac.org.au >>> > --host=papr-res-galaxy.unix.petermac.org.au --service=sshd >>> > -------------------- >>> > Access granted: True >>> > -------------------- >>> > Matched rules: ssh to galaxy >>> > Not matched rules: Computing Cluster >>> > Not matched rules: FACS Computing >>> > >>> > I've installed ipa-admintools on the host in question and got the same >>> > result. >>> > >>> > To be on the safe side/tick all boxes, I have cleared the cache on the >>> host >>> > in question: >>> > >>> > systemctl stop sssd >>> > sss_cache -E >>> > systemctl start sssd >>> > >>> > and confirmed success with a status check. >>> > >>> > When the user tries to login, it fails. >>> > >>> > Log is here: >>> > >>> > http://dpaste.com/0VAFNPH >>> > >>> > >>> > The top is where the negotiating starts to the best of my knowledge. >>> > >>> > The attempts fails, with no information that is useful to me: >>> > >>> > 230 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >>> > [hbac_get_category] (0x0200): Category is set to 'all'. >>> > 231 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >>> > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule >>> [ssh >>> > to galaxy] >>> > 232 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >>> > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule >>> [ssh >>> > to galaxy] >>> > 233 (Thu Jul 14 10:40:59 2016) [sssd[be[unix.petermac.org.au]]] >>> > [hbac_eval_user_element] (0x1000): [3] groups for [ >>> > SandsJordan at petermac.org.au] >>> >>> According to the HBAC evaluation the user is a member of 3 groups. Is >>> this the expected number? >>> >>> Can you check if 'id SandsJordan at petermac.org.au' returns the expected >>> list of groups on the client and the IPA server? (The client does not >>> talk to AD directly only to the IPA server, so if something is already >>> missing on the server it cannot be seen on the client as well). >>> >>> >> No, this is incorrect. He belongs to 14 groups on both the FreeIPA server >> and the host in question. >> >> [root at vmpr-linuxidm ~]# id sandsjordan at petermac.org.au | tr "," "\n" | >> wc -l >> 14 >> >> [root at papr-res-galaxy ~]# id sandsjordan at petermac.org.au | tr "," "\n" | >> wc -l >> 14 >> >> >> >>> Can you send me the SSSD cache file from the client >>> /var/lib/sss/db/cache_unix.petermac.org.au.ldb after the login attempt? >>> Since it might contain password hashes you might want to remove >>> lines with 'cachedPassword' before >>> >>> >> >> Ok, off list. >> >> >> >>> bye, >>> Sumit >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From visakh.mv at sisplc.net Fri Jul 15 05:11:30 2016 From: visakh.mv at sisplc.net (Visakh MV) Date: Fri, 15 Jul 2016 10:41:30 +0530 Subject: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04 Message-ID: Hi Team, Could you provide the client setup guide for Ubuntu systems. And we are using FreeIPA 4.2.0 version. it's been a while trying to find the document for Ubuntu with latest version FreeIPA Server, even now can not find the doc. so kindly provide the same doc via mail as soon as good. even if tried some solution that could find out from internet as well but still its not help us. -- Thanks & Regards, *Visakh m.v* *Support Engineer* Soffit Infrastructure Services (P) Ltd | Raj Bhavan | Power House Road | Palarivattom|Kochi-25 | Kerala | India. (M) +91-9497714447|(O) 0484-3045663,0484-3931393|Web:www.soffit.in Managed Services | Technical Services | Infrastructure Consulting | Audits & Assessments DISCLAIMER : This email, which includes any attachments, is confidential, may be privileged and is intended solely for the use of the named recipient(s). If you are not the intended recipient, do not disclose, distribute, or retain it, and please notify the sender immediately and delete the e-mail. E-mail is not necessarily secure or error free. It is your responsibility to ensure that e-mails are virus free. No one may conclude a contract on behalf of SOFFIT by e-mail without express written confirmation by a duly authorised representative of SOFFIT. Any views expressed in this e-mail are not necessarily those of SOFFIT. SOFFIT accepts no responsibility for any loss or damages arising in any way from the use of this e-mail as a means of communication. -------------- next part -------------- An HTML attachment was scrubbed... URL: From visakh.mv at sisplc.net Fri Jul 15 06:11:03 2016 From: visakh.mv at sisplc.net (Visakh MV) Date: Fri, 15 Jul 2016 11:41:03 +0530 Subject: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04 In-Reply-To: References: Message-ID: Hi Team, I forgot to describe the actual requirement on IPA client machines, which we needs to configure client machine SUDO privilege from FreeIPA server for IPA Server users. after configuring client machines can able to login as a IPA user but unable to give sudo privilege from. Please revert back your kind response On Fri, Jul 15, 2016 at 10:41 AM, Visakh MV wrote: > Hi Team, > > Could you provide the client setup guide for Ubuntu systems. And we are > using FreeIPA 4.2.0 version. it's been a while trying to find the document > for Ubuntu with latest version FreeIPA Server, even now can not find the > doc. so kindly provide the same doc via mail as soon as good. > > even if tried some solution that could find out from internet as well but > still its not help us. > > -- > > Thanks & Regards, > > *Visakh m.v* > > *Support Engineer* > > Soffit Infrastructure Services (P) Ltd | Raj Bhavan | Power House Road | > Palarivattom|Kochi-25 | Kerala | India. > > (M) +91-9497714447|(O) 0484-3045663,0484-3931393|Web:www.soffit.in > > Managed Services | Technical Services | Infrastructure Consulting | Audits > & Assessments > > DISCLAIMER : This email, which includes any attachments, is confidential, > may be privileged and is intended solely for the use of the named > recipient(s). If you are not the intended recipient, do not disclose, > distribute, or retain it, and please notify the sender immediately and > delete the e-mail. E-mail is not necessarily secure or error free. It is > your responsibility to ensure that e-mails are virus free. No one may > conclude a contract on behalf of SOFFIT by e-mail without express written > confirmation by a duly authorised representative of SOFFIT. Any views > expressed in this e-mail are not necessarily those of SOFFIT. SOFFIT > accepts no responsibility for any loss or damages arising in any way from > the use of this e-mail as a means of communication. > -- Thanks & Regards, *Visakh m.v* *Support Engineer* Soffit Infrastructure Services (P) Ltd | Raj Bhavan | Power House Road | Palarivattom|Kochi-25 | Kerala | India. (M) +91-9497714447|(O) 0484-3045663,0484-3931393|Web:www.soffit.in Managed Services | Technical Services | Infrastructure Consulting | Audits & Assessments DISCLAIMER : This email, which includes any attachments, is confidential, may be privileged and is intended solely for the use of the named recipient(s). If you are not the intended recipient, do not disclose, distribute, or retain it, and please notify the sender immediately and delete the e-mail. E-mail is not necessarily secure or error free. It is your responsibility to ensure that e-mails are virus free. No one may conclude a contract on behalf of SOFFIT by e-mail without express written confirmation by a duly authorised representative of SOFFIT. Any views expressed in this e-mail are not necessarily those of SOFFIT. SOFFIT accepts no responsibility for any loss or damages arising in any way from the use of this e-mail as a means of communication. -------------- next part -------------- An HTML attachment was scrubbed... URL: From zeal at freecharge.com Fri Jul 15 06:17:07 2016 From: zeal at freecharge.com (Zeal Vora) Date: Fri, 15 Jul 2016 11:47:07 +0530 Subject: [Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA Message-ID: Hi In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / TRACK method in IPA as a medium based vulnerability. Is there a need to allow those two methods in IPA ? If not, what is the optimal way to disable those methods ? Thanks, Zeal -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Jul 15 06:17:34 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2016 08:17:34 +0200 Subject: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl In-Reply-To: References: Message-ID: <51e8931a-f88b-12dd-0f30-6be421f4cb4c@redhat.com> You should be able to succeed with "ipa-replica-manage del " and --force/--cleanup flags: $ man ipa-replica-manage ... -c, --cleanup When deleting a master with the --force flag, remove leftover references to an already deleted master. ... Martin On 07/14/2016 05:35 PM, Devin Acosta wrote: > ipa01-jap was a host that is no more, is there a simple way to clear these > replication agreements to clean it up? > > On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik > wrote: > > On 07/14/2016 12:57 PM, Martin Kosek wrote: > > On 07/13/2016 04:24 AM, Devin Acosta wrote: > >> > >> I was trying to create another Replica but then noticed it was > constantly having > >> issues trying to finish the joining of the replication. I then ran the > command: > >> repl-monitor.pl , It > appears i have several replicaid's > >> and they seem to be having issues, wondering if this is adding to my issue. > >> > >> Anyone know how I can resolve this issue and clean up the replication??? > >> > >> See attached Screenshot. > > > > I wonder if cleaning RUVs help: > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/trouble-replica.html#trouble-repl-cleanruv > > > > dangling RUVs > > 1. "Can't acquire busy replica" > seems OK if it disappears after a while. > > 2. "1 Unable to acquire replicaLDAP error: Can't contact LDAP" > Probably worth investigating if ipa01- > i2x.rsinc.local:389 and ipa01- > jap.rsinc.local:389 still exist. If not then there is probably a > dangling replication agreement for o=ipaca suffix. > > -- > Petr Vobornik > > From lslebodn at redhat.com Fri Jul 15 06:59:43 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 15 Jul 2016 08:59:43 +0200 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names In-Reply-To: References: Message-ID: <20160715065943.GA30895@10.4.128.1> On (15/07/16 12:56), Lachlan Musicman wrote: >This line: > >We have SELinux disabled on all of our servers, but we hadn't disabled this >check in sssd.conf. So we enabled it in sssd.conf and everything worked >fine. > >Should read that we *disabled* selinux. > >selinux_provider = none Could you also try another solution? put "override_space = _" into "sssd" section in sssd.conf and restart sssd. As a result of this space will be replaced with underscore and libsemanage should not complain. @see man sssd.conf -> override_space LS From mkosek at redhat.com Fri Jul 15 07:29:49 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 15 Jul 2016 09:29:49 +0200 Subject: [Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA In-Reply-To: References: Message-ID: <22bd7640-d73c-218c-9d1b-0cf3f56f9e95@redhat.com> On 07/15/2016 08:17 AM, Zeal Vora wrote: > Hi > > In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / > TRACK method in IPA as a medium based vulnerability. > > Is there a need to allow those two methods in IPA ? > > If not, what is the optimal way to disable those methods ? > > > Thanks, > Zeal Hello Zeal, I think it should be safe disabling these methods in FreeIPA Apache configuration - I do not think FreeIPA uses them. I added your remark to https://fedorahosted.org/freeipa/ticket/4431 This is where we plan to harden the FreeIPA Apache instance. If you have any other ideas that were not captured in the ticket yet, please feel free to share them with us! Thanks, Martin From jhrozek at redhat.com Fri Jul 15 07:56:29 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 15 Jul 2016 09:56:29 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160715075629.GI4734@hendrix> On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: > I've updated all the relevant hosts and the FreeIPA server to the COPR sssd > 1.14.0 release and the problem seems to have disappeared. Great, but please keep an eye on the machine, the 1.14 branch is still kindof fresh and we did a lot of changes. About the HBAC issue, did you use the default_domain_suffix previously? From jhrozek at redhat.com Fri Jul 15 07:59:44 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 15 Jul 2016 09:59:44 +0200 Subject: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04 In-Reply-To: References: Message-ID: <20160715075944.GJ4734@hendrix> On Fri, Jul 15, 2016 at 11:41:03AM +0530, Visakh MV wrote: > Hi Team, > > I forgot to describe the actual requirement on IPA client machines, which > we needs to configure client machine SUDO privilege from FreeIPA server for > IPA Server users. after configuring client machines can able to login as a > IPA user but unable to give sudo privilege from. Please revert back your > kind response We don't have any special Ubuntu guide, the client setup should be the same as on RHEL though, just ipa-client-install. About sudo, I don't know what sssd version there is on Ubuntu 12, but if it's an old version (<1.9) you might need to configure sudo_provider=ldap. With more recent versions, sudo_provider=ipa is already included. From pvoborni at redhat.com Fri Jul 15 08:00:35 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 15 Jul 2016 10:00:35 +0200 Subject: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl In-Reply-To: <51e8931a-f88b-12dd-0f30-6be421f4cb4c@redhat.com> References: <51e8931a-f88b-12dd-0f30-6be421f4cb4c@redhat.com> Message-ID: <191cff6f-2a88-c4ce-d089-77999dc130d6@redhat.com> On 07/15/2016 08:17 AM, Martin Kosek wrote: > You should be able to succeed with "ipa-replica-manage del " > and --force/--cleanup flags: but first call ipa-csreplica-manage del --force/--cleanup > > $ man ipa-replica-manage > ... > -c, --cleanup > When deleting a master with the --force flag, remove leftover > references to an already deleted master. > ... > > Martin > > On 07/14/2016 05:35 PM, Devin Acosta wrote: >> ipa01-jap was a host that is no more, is there a simple way to clear these >> replication agreements to clean it up? >> >> On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik > > wrote: >> >> On 07/14/2016 12:57 PM, Martin Kosek wrote: >> > On 07/13/2016 04:24 AM, Devin Acosta wrote: >> >> >> >> I was trying to create another Replica but then noticed it was >> constantly having >> >> issues trying to finish the joining of the replication. I then ran the >> command: >> >> repl-monitor.pl , It >> appears i have several replicaid's >> >> and they seem to be having issues, wondering if this is adding to my issue. >> >> >> >> Anyone know how I can resolve this issue and clean up the replication??? >> >> >> >> See attached Screenshot. >> > >> > I wonder if cleaning RUVs help: >> > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/trouble-replica.html#trouble-repl-cleanruv >> > >> >> dangling RUVs >> >> 1. "Can't acquire busy replica" >> seems OK if it disappears after a while. >> >> 2. "1 Unable to acquire replicaLDAP error: Can't contact LDAP" >> Probably worth investigating if ipa01- >> i2x.rsinc.local:389 and ipa01- >> jap.rsinc.local:389 still exist. If not then there is probably a >> dangling replication agreement for o=ipaca suffix. >> >> -- >> Petr Vobornik >> >> > -- Petr Vobornik From jhrozek at redhat.com Fri Jul 15 08:05:23 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 15 Jul 2016 10:05:23 +0200 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names In-Reply-To: <20160715065943.GA30895@10.4.128.1> References: <20160715065943.GA30895@10.4.128.1> Message-ID: <20160715080523.GK4734@hendrix> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote: > On (15/07/16 12:56), Lachlan Musicman wrote: > >This line: > > > >We have SELinux disabled on all of our servers, but we hadn't disabled this > >check in sssd.conf. So we enabled it in sssd.conf and everything worked > >fine. > > > >Should read that we *disabled* selinux. > > > >selinux_provider = none > Could you also try another solution? > put "override_space = _" into "sssd" section in sssd.conf > and restart sssd. > > As a result of this space will be replaced with underscore > and libsemanage should not complain. > > @see man sssd.conf -> override_space This is either a bug in semenage, we should file one and ask the semanage developers if there is a proper way to quote the spaces. But yes, selinux_provider=none would disable this area of code. From pvoborni at redhat.com Fri Jul 15 08:34:45 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 15 Jul 2016 10:34:45 +0200 Subject: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) In-Reply-To: References: <89213DDB84447F44A8E8950A5C2185E04825FACC@SJN01013.jnmain00.corp.jndata.net> <9bb5c659-e739-12fc-0f8b-4635fbb5d21d@redhat.com> Message-ID: <76b7f163-d5c8-0e97-d871-7594694e0fbc@redhat.com> On 07/14/2016 10:16 PM, Devin Acosta wrote: > When i tried to create the replica from another server, it fails giving me this? > > [root at ipa02-aws ~]# ipa-replica-prepare ipa03-aws.rsinc.local --ip-address 10.40.x.x > Directory Manager (existing master) password: > > If you installed IPA with your own certificates using PKCS#12 files you must > provide PKCS#12 files for any replicas you create as well. > The replica must be created on the primary IPA server. What is your topology? Does ipa02-aws have a CA (doesn't seem so)? Replica file can be created only on a replica with CA unless whole topo is install as CA less(then it needs other options). It is strongly encouraged to have more than one replica with CA. Was anything in directory server errors log on master? > > On Thu, Jul 14, 2016 at 8:22 AM, Petr Vobornik > wrote: > > On 07/14/2016 07:18 AM, Bjarne Blichfeldt wrote: > > Well, I just had the same problem, but in my case I also tried to install a ca: > > > > ?ipa-replica-install --setup-ca ?..? > > > > Without ?--set-up? the installation succeeded. > > > > Regards, > > > > Bjarne > > > > The error below is not related to CA. > > It tries to check that new replica's ldap service principal was replica > to master server. The principal is not replicated there and after 60 > attemps it fails. > > What is your replication topology? Could it be that other replicas are > keeping this master busy? > > Does installation against other replica work? > > Could you provide dirsrv error log of the master from the time of > installation? > > > > > > > *From:*Devin Acosta [mailto:linuxguru.co at gmail.com > ] > > *Sent:* 12. juli 2016 21:35 > > *To:* freeipa-users at redhat.com > > *Subject:* [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI) > > > > I am trying to add a 4th replica to my FreeIPA installation. I am running the > > latest CentOS 7.2 (full updates) and i have tried multiple times and fails every > > time in same location. When it fails I remove the replication agreements and try > > again and keeps failing in same location. > > > > [root at ipa03-aws centos]# ipa-replica-install replica-info-ipa03-aws.rsinc.local.gpg > > > > WARNING: conflicting time&date synchronization service 'chronyd' will > > > > be disabled in favor of ntpd > > > > Directory Manager (existing master) password: > > > > Run connection check to master > > > > Check connection from replica to remote master 'ipa01-aws.rsinc.local': > > > > Directory Service: Unsecure port (389): OK > > > > Directory Service: Secure port (636): OK > > > > Kerberos KDC: TCP (88): OK > > > > Kerberos Kpasswd: TCP (464): OK > > > > HTTP Server: Unsecure port (80): OK > > > > HTTP Server: Secure port (443): OK > > > > The following list of ports use UDP protocol and would need to be > > > > checked manually: > > > > Kerberos KDC: UDP (88): SKIPPED > > > > Kerberos Kpasswd: UDP (464): SKIPPED > > > > Connection from replica to master is OK. > > > > Start listening on required ports for remote master check > > > > Get credentials to log in to remote master > > > > admin at RSINC.LOCAL > > password: > > > > Check SSH connection to remote master > > > > Execute check on remote master > > > > Check connection from master to remote replica 'ipa03-aws.rsinc.local': > > > > Directory Service: Unsecure port (389): OK > > > > Directory Service: Secure port (636): OK > > > > Kerberos KDC: TCP (88): OK > > > > Kerberos KDC: UDP (88): OK > > > > Kerberos Kpasswd: TCP (464): OK > > > > Kerberos Kpasswd: UDP (464): OK > > > > HTTP Server: Unsecure port (80): OK > > > > HTTP Server: Secure port (443): OK > > > > Connection from master to replica is OK. > > > > Connection check OK > > > > Configuring NTP daemon (ntpd) > > > > [1/4]: stopping ntpd > > > > [2/4]: writing configuration > > > > [3/4]: configuring ntpd to start on boot > > > > [4/4]: starting ntpd > > > > Done configuring NTP daemon (ntpd). > > > > Configuring directory server (dirsrv). Estimated time: 1 minute > > > > [1/38]: creating directory server user > > > > [2/38]: creating directory server instance > > > > [3/38]: adding default schema > > > > [4/38]: enabling memberof plugin > > > > [5/38]: enabling winsync plugin > > > > [6/38]: configuring replication version plugin > > > > [7/38]: enabling IPA enrollment plugin > > > > [8/38]: enabling ldapi > > > > [9/38]: configuring uniqueness plugin > > > > [10/38]: configuring uuid plugin > > > > [11/38]: configuring modrdn plugin > > > > [12/38]: configuring DNS plugin > > > > [13/38]: enabling entryUSN plugin > > > > [14/38]: configuring lockout plugin > > > > [15/38]: creating indices > > > > [16/38]: enabling referential integrity plugin > > > > [17/38]: configuring ssl for ds instance > > > > [18/38]: configuring certmap.conf > > > > [19/38]: configure autobind for root > > > > [20/38]: configure new location for managed entries > > > > [21/38]: configure dirsrv ccache > > > > [22/38]: enable SASL mapping fallback > > > > [23/38]: restarting directory server > > > > [24/38]: setting up initial replication > > > > Starting replication, please wait until this has completed. > > > > Update in progress, 4 seconds elapsed > > > > Update succeeded > > > > [25/38]: updating schema > > > > [26/38]: setting Auto Member configuration > > > > [27/38]: enabling S4U2Proxy delegation > > > > [28/38]: importing CA certificates from LDAP > > > > [29/38]: initializing group membership > > > > [30/38]: adding master entry > > > > [31/38]: initializing domain level > > > > [32/38]: configuring Posix uid/gid generation > > > > [33/38]: adding replication acis > > > > [34/38]: enabling compatibility plugin > > > > [35/38]: activating sidgen plugin > > > > [36/38]: activating extdom plugin > > > > [37/38]: tuning directory server > > > > [38/38]: configuring directory to start on boot > > > > Done configuring directory server (dirsrv). > > > > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > > > > [1/8]: adding sasl mappings to the directory > > > > [2/8]: configuring KDC > > > > [3/8]: creating a keytab for the directory > > > > [4/8]: creating a keytab for the machine > > > > [5/8]: adding the password extension to the directory > > > > [6/8]: enable GSSAPI for replication > > > > [error] RuntimeError: One of the ldap service principals is missing. > > Replication agreement cannot be converted. > > > > Replication error message: Can't acquire busy replica > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap > > service principals is missing. Replication agreement cannot be converted. > > > > Replication error message: Can't acquire busy replica > > > > Please see attached file for the full log file. > > > > Any help would be appreciated! > > > > > > > > > -- > Petr Vobornik > > -- Petr Vobornik From andreas.ladanyi at kit.edu Fri Jul 15 10:08:52 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 15 Jul 2016 12:08:52 +0200 Subject: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment In-Reply-To: References: Message-ID: <0767b2e3-9554-0939-a7a3-b36d8cfee865@kit.edu> Hi, > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has > been a pain point for quite some time. I've heard that FreeIPA might > be a solution worth exploring. > > I would like to try to avoid user visible disruption if possible, > however. This means that we would like to keep our Kerberos realm > name, keep AFS cross-realm authentication working, etc. UIDs > remaining the same would be good; I'd have to think about We dont use cross realm. We created a new realm with new name. We used ipa migrade-ds to migrate users/groups with uids. Because we couldnt migrate the user passwords from old to new realm, we reset the users password in the new IPA realm and let the users input a new password once. > > Essentially all of our clients are various flavors of Debian; mostly > Jessie (we have an unfortunate number of older machines that I hope to > upgrade soon). > > Has anyone done something like this before? Anyone have any ideas > what the migration path would look like or whether this is even > possible? I have the same situation. We have an old MIT Kerberos / OpenLDAP system which we have to migrate. We use FreeIPA 4.2 on Fedora 23 and the current OpenAFS release and simply said: it works. Our first milestone was to migrate webplattforms and all behind them (apache with kerberos auth and data in AFS) first and after them with more experience with the afs / freeipa combination we want to migrate the user homes and client desktops. > > Thanks, > > Grant Wu > grantwu at andrew.cmu.edu regards, Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From datakid at gmail.com Fri Jul 15 10:17:10 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 15 Jul 2016 20:17:10 +1000 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names In-Reply-To: <20160715080523.GK4734@hendrix> References: <20160715065943.GA30895@10.4.128.1> <20160715080523.GK4734@hendrix> Message-ID: Wont be able to check until Monday morning (Australia's weekend has started) but can check, yes. And the reason I reported to you is because you will have more weight with selinux bug tickets than I would. cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 18:05, Jakub Hrozek wrote: > On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote: > > On (15/07/16 12:56), Lachlan Musicman wrote: > > >This line: > > > > > >We have SELinux disabled on all of our servers, but we hadn't disabled > this > > >check in sssd.conf. So we enabled it in sssd.conf and everything worked > > >fine. > > > > > >Should read that we *disabled* selinux. > > > > > >selinux_provider = none > > Could you also try another solution? > > put "override_space = _" into "sssd" section in sssd.conf > > and restart sssd. > > > > As a result of this space will be replaced with underscore > > and libsemanage should not complain. > > > > @see man sssd.conf -> override_space > > This is either a bug in semenage, we should file one and ask the > semanage developers if there is a proper way to quote the spaces. > > But yes, selinux_provider=none would disable this area of code. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.boorshtein at tremolosecurity.com Fri Jul 15 10:49:30 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Fri, 15 Jul 2016 06:49:30 -0400 Subject: [Freeipa-users] DNS Forwarding stops working Message-ID: I've got a freeipa server using an AD server as a DNS forwarder. It was working great until about an hour ago and now FreeIPA won't forward any requests to the DNS server. using nslookup from the server against ad works perfectly. Restarting services has not worked. How can I debug this issue? Details: CentOS 7 - CentOS Linux release 7.2.1511 (Core) IPA - ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From pvoborni at redhat.com Fri Jul 15 11:01:07 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 15 Jul 2016 13:01:07 +0200 Subject: [Freeipa-users] DNS Forwarding stops working In-Reply-To: References: Message-ID: On 07/15/2016 12:49 PM, Marc Boorshtein wrote: > I've got a freeipa server using an AD server as a DNS forwarder. It > was working great until about an hour ago and now FreeIPA won't > forward any requests to the DNS server. using nslookup from the > server against ad works perfectly. Restarting services has not > worked. How can I debug this issue? Details: > > CentOS 7 - CentOS Linux release 7.2.1511 (Core) > IPA - ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 > > Thanks > > Marc Boorshtein > CTO Tremolo Security > marc.boorshtein at tremolosecurity.com > Twitter - @mlbiam / @tremolosecurity > I'd start with investigation of: # journalctl -u named-pkcs11 And with: # ipactl status -- Petr Vobornik From lslebodn at redhat.com Fri Jul 15 11:13:25 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 15 Jul 2016 13:13:25 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> Message-ID: <20160715111324.GD30895@10.4.128.1> On (14/07/16 21:23), Sullivan, Daniel [AAA] wrote: >Justin, > >Thank you for taking the time to reply to me; I really appreciate your willingness to help. > >Upgrading to sssd1.14 (from the copr repo) on the client seems to have fixed this problem across the board. I don?t have a system that is currently broken to capture this data, but if it is important for you to have the log data to try and resolve this bug I could try to obtain it for you by purposely try to induce the issue by upgrading another system and hoping the bug presents itself, and then capture the data. Please advise if you would like me to attempt this. > >I was really frustrated by this bug and am happy that I can consider this issue resolved. Please let me know if you would like me to try and capture the data as you described. > I am glad that 1.14 works for you :-) But there might be other bugs. I know about few regressions. BTW about the HBAC issue, did you use the default_domain_suffix previously? LS From dsullivan2 at bsd.uchicago.edu Fri Jul 15 12:00:56 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Fri, 15 Jul 2016 12:00:56 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160715111324.GD30895@10.4.128.1> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> Message-ID: <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> Lukas, Thank you for your reply and inquiry. First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. And yes, I am assessing a possible software regression at the current moment. It might be related to the default_domain_suffix you are inquiring about. Basically I am getting inconsistent results on invocation of the id command with specifying the username as ?username? or ?username at fqdn? on a client running 1.14 against a DC running 1.13 (i.e. no way to reliably invoke id against a trusted domain account). Sometimes the command will return a result, and sometimes it will not. Looking at nss debug logs it appears that a duplicate fqdn is being appended to the nss query as show here (as @bsdad.uchicago.edu at bsdad.uchicago.edu). This lookup fails. (Fri Jul 15 06:53:07 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41e750:1:mjarsulic at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [bsdad.uchicago.edu][0x1][BE_REQ_USER][1][name=mjarsulic at bsdad.uchicago.edu:-] (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x7d0860 (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41e750:1:mjarsulic at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x7d0860 (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x7a1730 (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Jul 15 06:53:07 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/bsdad.uchicago.edu/mjarsulic at bsdad.uchicago.edu] (Fri Jul 15 06:53:07 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [mjarsulic at bsdad.uchicago.edu] (Fri Jul 15 06:53:07 2016) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7bb560 Right now I am considering snapshotting our DC, upgrading the sssd to 1.14 on it, flushing the cache on DC and client (both 1.14), and re-testing. If you have any insight on resolving this issue I?d be interested in hearing your thoughts. Best, Dan On Jul 15, 2016, at 6:13 AM, Lukas Slebodnik > wrote: On (14/07/16 21:23), Sullivan, Daniel [AAA] wrote: Justin, Thank you for taking the time to reply to me; I really appreciate your willingness to help. Upgrading to sssd1.14 (from the copr repo) on the client seems to have fixed this problem across the board. I don?t have a system that is currently broken to capture this data, but if it is important for you to have the log data to try and resolve this bug I could try to obtain it for you by purposely try to induce the issue by upgrading another system and hoping the bug presents itself, and then capture the data. Please advise if you would like me to attempt this. I was really frustrated by this bug and am happy that I can consider this issue resolved. Please let me know if you would like me to try and capture the data as you described. I am glad that 1.14 works for you :-) But there might be other bugs. I know about few regressions. BTW about the HBAC issue, did you use the default_domain_suffix previously? LS ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Fri Jul 15 12:07:32 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Fri, 15 Jul 2016 12:07:32 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160715111324.GD30895@10.4.128.1> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> Message-ID: <122CE942-4A6E-40BE-9421-8DDD1A22A69E@bsd.uchicago.edu> Lukas, Also, I would be interested to have high-level knowledge of known regressions you describe so that we can more quickly identify that we are being impacted by a known issue as we move forward with testing and evaluation of our IPA implementation, particularly if they are missing from the 1.14 section of (6 tickets open): https://fedorahosted.org/sssd/report/2 Best, Dan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From jhrozek at redhat.com Fri Jul 15 12:12:02 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 15 Jul 2016 14:12:02 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> Message-ID: <20160715121202.GP4734@hendrix> On Fri, Jul 15, 2016 at 12:00:56PM +0000, Sullivan, Daniel [AAA] wrote: > Lukas, > > Thank you for your reply and inquiry. > > First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. > > And yes, I am assessing a possible software regression at the > current moment. It might be related to the default_domain_suffix > you are inquiring about. Basically I am getting inconsistent > results on invocation of the id command with specifying the username > as ?username? or ?username at fqdn? on a client running 1.14 > against a DC running 1.13 (i.e. no way to reliably invoke id against a > trusted domain account). Sometimes the command will return a result, > and sometimes it will not. No result or missing groups? > Looking at nss debug logs it appears that > a duplicate fqdn is being appended to the nss query as show here (as > @bsdad.uchicago.edu at bsdad.uchicago.edu). > This lookup fails. Yes, this is wrong, can you send me the full NSS and domain logs please? From dsullivan2 at bsd.uchicago.edu Fri Jul 15 13:22:07 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Fri, 15 Jul 2016 13:22:07 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160715121202.GP4734@hendrix> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> Message-ID: <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> Jakub, Sure, no problem, I am happy to provide the output that you are requesting. Thank you for taking the time to help me. To answer your question, no record is returned (not missing groups). For example, the output of the failure was: [root at cri-kcriwebgdp1 log]# id mjarsulic id: mjarsulic: No such user As per your request I have attached domain and nss logs for a lookup on the user ?spott? (command invoked ?id spott? on the client). (immediately after executing 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/*; service sssd start;? on the client): IPA - https://gist.github.com/dsulli99/4e45faa39474b9131be811e4a0779c40 NSS - https://gist.github.com/dsulli99/e2e10da34ff860ec15e56ea521eb8315 Not every record fails, and the behavior is inconsistent between lookups (i.e. sometimes a user will lookup correctly, sometimes it will not), but it appears that in some situations a timeout is occurring in the nss logs (not in the failure above). In these situations it looks to me like the query is dispatched to the DC, and the lookup times out. If I wait a little bit and perform the lookup on the same user again, the record is returned (presumably because the DC eventually resolved and cached the query?). We are migrating from CentrifyDC and have loaded 2000+ custom ID overrides into our Default Trust ID View; perhaps we will need to implement the tempfs caching for the /var/lib/sss/db on the DC as described in your performance tuning document (https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/). These timeouts look like: (Fri Jul 15 07:21:04 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [bsdad.uchicago.edu][0x1][BE_REQ_USER][1][name=bson at bsdad.uchicago.edu:-] (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x1fa9020 (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x1fa9020 (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1fa0730 (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 110 error message: Connection timed out (Fri Jul 15 07:21:17 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 110, Connection timed out Will try to return what we have in cache (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x1fa7fc0][22] I?m going to implement tmpfs caching on the DC, hopefully this will address at least a subset of these lookup failures. I?ll report back with my findings. Thank you again for your help. Best, Dan Sullivan On Jul 15, 2016, at 7:12 AM, Jakub Hrozek > wrote: On Fri, Jul 15, 2016 at 12:00:56PM +0000, Sullivan, Daniel [AAA] wrote: Lukas, Thank you for your reply and inquiry. First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. And yes, I am assessing a possible software regression at the current moment. It might be related to the default_domain_suffix you are inquiring about. Basically I am getting inconsistent results on invocation of the id command with specifying the username as ?username? or ?username at fqdn? on a client running 1.14 against a DC running 1.13 (i.e. no way to reliably invoke id against a trusted domain account). Sometimes the command will return a result, and sometimes it will not. No result or missing groups? Looking at nss debug logs it appears that a duplicate fqdn is being appended to the nss query as show here (as @bsdad.uchicago.edu at bsdad.uchicago.edu). This lookup fails. Yes, this is wrong, can you send me the full NSS and domain logs please? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Fri Jul 15 14:04:43 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Fri, 15 Jul 2016 14:04:43 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> References: <772299AF-EC3C-4DE5-99F9-EE16CC9189DD@bsd.uchicago.edu> <6582d0a7-682f-3f51-e342-28533967af7b@redhat.com> <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> Message-ID: Hi, Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears to have helped significantly. This issue is becoming much more difficult to reproduce, although I can still reproduce it. Now, it appears that rapid successive invocations of the id command will yield a returned record. The timeout for the output specified below (i.e. the time it took the first command to return) was definitely less than 60 seconds, probably 10-20. I am going to look into the tuning options for sssd, and would of course be interested in any advisement you could provide this regard. AFAIK this issue currently only impacts users with a large number of groups (in fact I have only been able to cause this issue one one user after tuning as described above). I am going to script a test and do a lookup for every single ID Override user in our environment to see what kind of a hit rate I get. I?ll report back. Thank you again for your help. [root at cri-kcriwebgdp1 log]# id rcrist id: rcrist: No such user [root at cri-kcriwebgdp1 log]# id rcrist uid=339748142(rcrist) gid=339748142(rcrist) groups=339748142(rcrist),339801232(cri-aaa_static_hosting),788635799(adm-sde-clients),788600520(group policy creator owners),788602710(bsd exchange view only administrators),339792922(cri-all_users),788659064(aaa-static_hosting_groups),788601114(bsd$ dns read),788609545(adm-trackitusers),339806103(cri-ciscat),788609528(adm-bsd-mis),788619855(adm-oua-dl),788615498(adm-himss),788637726(adm-dstmlist-dl),788600513(domain users),788601110(bsd$ all oua),788654299(cri-all_groups),788658170(ocr-sharepoint ocr members),788619946(adm-trackitreports),788638566(ocr-coi),788633650(#ocr-office-dl),788644425(ocr velos email),788609542(adm-testgroup1),788638733(ocr-dfc-users),788665477(med-section_shares-clinical trials (only)),788609532(adm-bsdis-print),788634332(ocr-clinical research),788609546(adm-tss),788658806(ocr-hiro),788672525(ocr-bsdvpn-allow),788640103(adm shpt srp contributors),788659092(ocr-sharepoint-velosupgrade),788639053(ocr-velos-tickets),788610719(adm-premigration-proofpoint),788635798(adm-sde-techs),788635657(adm-www-clinres),788653680(ocr-email-management),788663575(ocr-bsdirb),788658171(ocr-sharepoint irb members),788650124(ocr it),788609567(ors-teleform),788653595(ocr$ oua),788609341(ic),788646237(adm shpt ocr visitors),788609544(adm-trackittech),788671562(ocr-ocrepic),788652940(dma management) Dan On Jul 15, 2016, at 8:22 AM, Sullivan, Daniel [AAA] > wrote: Jakub, Sure, no problem, I am happy to provide the output that you are requesting. Thank you for taking the time to help me. To answer your question, no record is returned (not missing groups). For example, the output of the failure was: [root at cri-kcriwebgdp1 log]# id mjarsulic id: mjarsulic: No such user As per your request I have attached domain and nss logs for a lookup on the user ?spott? (command invoked ?id spott? on the client). (immediately after executing 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/*; service sssd start;? on the client): IPA - https://gist.github.com/dsulli99/4e45faa39474b9131be811e4a0779c40 NSS - https://gist.github.com/dsulli99/e2e10da34ff860ec15e56ea521eb8315 Not every record fails, and the behavior is inconsistent between lookups (i.e. sometimes a user will lookup correctly, sometimes it will not), but it appears that in some situations a timeout is occurring in the nss logs (not in the failure above). In these situations it looks to me like the query is dispatched to the DC, and the lookup times out. If I wait a little bit and perform the lookup on the same user again, the record is returned (presumably because the DC eventually resolved and cached the query?). We are migrating from CentrifyDC and have loaded 2000+ custom ID overrides into our Default Trust ID View; perhaps we will need to implement the tempfs caching for the /var/lib/sss/db on the DC as described in your performance tuning document (https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/). These timeouts look like: (Fri Jul 15 07:21:04 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [bsdad.uchicago.edu][0x1][BE_REQ_USER][1][name=bson at bsdad.uchicago.edu:-] (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x1fa9020 (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x1fa9020 (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1fa0730 (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 110 error message: Connection timed out (Fri Jul 15 07:21:17 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 110, Connection timed out Will try to return what we have in cache (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x1fa7fc0][22] I?m going to implement tmpfs caching on the DC, hopefully this will address at least a subset of these lookup failures. I?ll report back with my findings. Thank you again for your help. Best, Dan Sullivan On Jul 15, 2016, at 7:12 AM, Jakub Hrozek > wrote: On Fri, Jul 15, 2016 at 12:00:56PM +0000, Sullivan, Daniel [AAA] wrote: Lukas, Thank you for your reply and inquiry. First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. And yes, I am assessing a possible software regression at the current moment. It might be related to the default_domain_suffix you are inquiring about. Basically I am getting inconsistent results on invocation of the id command with specifying the username as ?username? or ?username at fqdn? on a client running 1.14 against a DC running 1.13 (i.e. no way to reliably invoke id against a trusted domain account). Sometimes the command will return a result, and sometimes it will not. No result or missing groups? Looking at nss debug logs it appears that a duplicate fqdn is being appended to the nss query as show here (as @bsdad.uchicago.edu at bsdad.uchicago.edu). This lookup fails. Yes, this is wrong, can you send me the full NSS and domain logs please? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From Dan.Finkelstein at high5games.com Fri Jul 15 15:20:03 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 15 Jul 2016 15:20:03 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding Message-ID: Hi all, I'm trying to follow the directions (and cautions) from here: http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone (example2.com) and a forwarding address and set the zone to forward-only, no records are returned for hosts like, say, testhost.example2.com. The NS record for the domain is the authoritative nameserver for the example2.com domain (which belongs to someone else), so we don't know why it doesn't return records whereas direct queries against the remote nameserver work fine. Any help with the configuration would be appreciated. Thanks, Dan [cid:image001.jpg at 01D1DE8A.D5326D80] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From jhrozek at redhat.com Fri Jul 15 15:20:11 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 15 Jul 2016 17:20:11 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> References: <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> Message-ID: <20160715152011.GQ4734@hendrix> On Fri, Jul 15, 2016 at 01:22:07PM +0000, Sullivan, Daniel [AAA] wrote: > Jakub, > > Sure, no problem, I am happy to provide the output that you are requesting. Thank you for taking the time to help me. > > To answer your question, no record is returned (not missing groups). For example, the output of the failure was: > > [root at cri-kcriwebgdp1 log]# id mjarsulic > id: mjarsulic: No such user > > As per your request I have attached domain and nss logs for a lookup on the > user ?spott? (command invoked ?id spott? on the client). (immediately > after executing 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/*; > service sssd start;? on the client): Thank you, but did this command return "No such user" ? If it did, was the user cached previously (iow, was there a successfull lookup before) ? The thing I'm confused about is that even if the back end request failed (indicated by the "s2n exop request failed" message), I would expect the NSS process to still return data from the cache. As per why the request failed, you need to look into the matching logs on the server side around that time the s2n request failed to see if there was some issue with lookups. The double-qualification is just an annoying debug message. In 1.14, we store all usernames fully qualified (that's the first one you see) but also append the domain name in some functions when printing debug messages (that's the second one). > > IPA - https://gist.github.com/dsulli99/4e45faa39474b9131be811e4a0779c40 > NSS - https://gist.github.com/dsulli99/e2e10da34ff860ec15e56ea521eb8315 > > Not every record fails, and the behavior is inconsistent between lookups (i.e. sometimes a user will lookup correctly, sometimes it will not), but it appears that in some situations a timeout is occurring in the nss logs (not in the failure above). In these situations it looks to me like the query is dispatched to the DC, and the lookup times out. If I wait a little bit and perform the lookup on the same user again, the record is returned (presumably because the DC eventually resolved and cached the query?). We are migrating from CentrifyDC and have loaded 2000+ custom ID overrides into our Default Trust ID View; perhaps we will need to implement the tempfs caching for the /var/lib/sss/db on the DC as described in your performance tuning document (https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/). These timeouts look like: > > (Fri Jul 15 07:21:04 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. > (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] > (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [bsdad.uchicago.edu][0x1][BE_REQ_USER][1][name=bson at bsdad.uchicago.edu:-] > (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x1fa9020 > (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x1fa9020 > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1fa0730 > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 110 error message: Connection timed out > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider > Error: 3, 110, Connection timed out > Will try to return what we have in cache > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! > (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x1fa7fc0][22] > > I?m going to implement tmpfs caching on the DC, hopefully this will address at least a subset of these lookup failures. I?ll report back with my findings. > > Thank you again for your help. > > Best, > > Dan Sullivan > > > > > On Jul 15, 2016, at 7:12 AM, Jakub Hrozek > wrote: > > On Fri, Jul 15, 2016 at 12:00:56PM +0000, Sullivan, Daniel [AAA] wrote: > Lukas, > > Thank you for your reply and inquiry. > > First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. > > And yes, I am assessing a possible software regression at the > current moment. It might be related to the default_domain_suffix > you are inquiring about. Basically I am getting inconsistent > results on invocation of the id command with specifying the username > as ?username? or ?username at fqdn? on a client running 1.14 > against a DC running 1.13 (i.e. no way to reliably invoke id against a > trusted domain account). Sometimes the command will return a result, > and sometimes it will not. > > No result or missing groups? > > Looking at nss debug logs it appears that > a duplicate fqdn is being appended to the nss query as show here (as > @bsdad.uchicago.edu at bsdad.uchicago.edu). > This lookup fails. > > Yes, this is wrong, can you send me the full NSS and domain logs please? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to which > it is addressed and may contain information that is privileged and confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > ******************************************************************************** From jhrozek at redhat.com Fri Jul 15 15:22:41 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 15 Jul 2016 17:22:41 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: References: <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> Message-ID: <20160715152241.GR4734@hendrix> On Fri, Jul 15, 2016 at 02:04:43PM +0000, Sullivan, Daniel [AAA] wrote: > Hi, > > Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears to have helped significantly. pam_id_timeout and krb5_auth_timeout are only applied during login, not when id is invoked. So I think the piece that helped in your environment was the tmpfs on the server. Still, I think there are two issues: 1) why does the s2n operation fail at all? We should look into the server logs around the time the s2n operation fails to find the reason 2) why doesn't sssd on the client return cached data if the s2n request fails? See my other mail, I'm interested if the data was cached from a previous lookup. From Dan.Finkelstein at high5games.com Fri Jul 15 16:10:51 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 15 Jul 2016 16:10:51 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding Message-ID: <315DBF50-976A-45FE-9F4F-1AF44C1DAE51@high5games.com> To give this a little more context, I've tried this: [root at ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA' failed DNSSEC validation on server 10.55.10.31. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. Zone name: example2.com. Active zone: TRUE Zone forwarders: 10.55.10.151 Forward policy: only We don't care about DNSSEC validation on the forwarded zone, but we do on the zones that IPA is authoritative for. Thanks, Dan [cid:image001.jpg at 01D1DE91.EE28CAD0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Friday, July 15, 2016 at 11:20 To: "freeipa-users at redhat.com" Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding Hi all, I'm trying to follow the directions (and cautions) from here: http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone (example2.com) and a forwarding address and set the zone to forward-only, no records are returned for hosts like, say, testhost.example2.com. The NS record for the domain is the authoritative nameserver for the example2.com domain (which belongs to someone else), so we don't know why it doesn't return records whereas direct queries against the remote nameserver work fine. Any help with the configuration would be appreciated. Thanks, Dan [cid:image002.jpg at 01D1DE91.EE28CAD0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4334 bytes Desc: image002.jpg URL: From dsullivan2 at bsd.uchicago.edu Fri Jul 15 16:35:54 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Fri, 15 Jul 2016 16:35:54 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160715152011.GQ4734@hendrix> References: <1DA98071-1AB7-4F88-A6B8-45F6A76BB337@bsd.uchicago.edu> <20160713061007.ixdzzzhfhcqyvtar@redhat.com> <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> <20160715152011.GQ4734@hendrix> Message-ID: <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> Jakub, Thank you for replying to me. Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn?t upgrade it because I haven?t had any problems logging into that system yet. That being said: Thank you, but did this command return "No such user? ? Yes. Whenever this occurs "No such user" is the result from the id command executed on the client. If it did, was the user cached previously (iow, was there a successfull lookup before) ? No, this is the first time the user has ever been looked up. As far as I know the user has never been successfully entered into the cache. Similarly, the user has never logged in to the IPA server via an SSSD client. Here is an example of a failed lookup from a client: [root at cri-kcriwebgdp1 problem]# id hahsan id: hahsan: No such user The DC logs for this operation are NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 I can lookup this user fine on the DC: [root at cri-ksysipadcp2 sssd]# id hahsan uid=339741696(hahsan at bsdad.uchicago.edu) gid=339741696(hahsan at bsdad.uchicago.edu) groups=339741696(hahsan at bsdad.uchicago.edu),788655857 . I appreciate your help with this. Best, Dan On Jul 15, 2016, at 10:20 AM, Jakub Hrozek > wrote: On Fri, Jul 15, 2016 at 01:22:07PM +0000, Sullivan, Daniel [AAA] wrote: Jakub, Sure, no problem, I am happy to provide the output that you are requesting. Thank you for taking the time to help me. To answer your question, no record is returned (not missing groups). For example, the output of the failure was: [root at cri-kcriwebgdp1 log]# id mjarsulic id: mjarsulic: No such user As per your request I have attached domain and nss logs for a lookup on the user ?spott? (command invoked ?id spott? on the client). (immediately after executing 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/*; service sssd start;? on the client): Thank you, but did this command return "No such user" ? If it did, was the user cached previously (iow, was there a successfull lookup before) ? The thing I'm confused about is that even if the back end request failed (indicated by the "s2n exop request failed" message), I would expect the NSS process to still return data from the cache. As per why the request failed, you need to look into the matching logs on the server side around that time the s2n request failed to see if there was some issue with lookups. The double-qualification is just an annoying debug message. In 1.14, we store all usernames fully qualified (that's the first one you see) but also append the domain name in some functions when printing debug messages (that's the second one). IPA - https://gist.github.com/dsulli99/4e45faa39474b9131be811e4a0779c40 NSS - https://gist.github.com/dsulli99/e2e10da34ff860ec15e56ea521eb8315 Not every record fails, and the behavior is inconsistent between lookups (i.e. sometimes a user will lookup correctly, sometimes it will not), but it appears that in some situations a timeout is occurring in the nss logs (not in the failure above). In these situations it looks to me like the query is dispatched to the DC, and the lookup times out. If I wait a little bit and perform the lookup on the same user again, the record is returned (presumably because the DC eventually resolved and cached the query?). We are migrating from CentrifyDC and have loaded 2000+ custom ID overrides into our Default Trust ID View; perhaps we will need to implement the tempfs caching for the /var/lib/sss/db on the DC as described in your performance tuning document (https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/). These timeouts look like: (Fri Jul 15 07:21:04 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [bsdad.uchicago.edu][0x1][BE_REQ_USER][1][name=bson at bsdad.uchicago.edu:-] (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x1fa9020 (Fri Jul 15 07:21:04 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x1fa9020 (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1fa0730 (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 110 error message: Connection timed out (Fri Jul 15 07:21:17 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 110, Connection timed out Will try to return what we have in cache (Fri Jul 15 07:21:17 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41e750:1:bson at bsdad.uchicago.edu@bsdad.uchicago.edu] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1fa7fc0][22] (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Jul 15 07:21:17 2016) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x1fa7fc0][22] I?m going to implement tmpfs caching on the DC, hopefully this will address at least a subset of these lookup failures. I?ll report back with my findings. Thank you again for your help. Best, Dan Sullivan On Jul 15, 2016, at 7:12 AM, Jakub Hrozek > wrote: On Fri, Jul 15, 2016 at 12:00:56PM +0000, Sullivan, Daniel [AAA] wrote: Lukas, Thank you for your reply and inquiry. First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. And yes, I am assessing a possible software regression at the current moment. It might be related to the default_domain_suffix you are inquiring about. Basically I am getting inconsistent results on invocation of the id command with specifying the username as ?username? or ?username at fqdn? on a client running 1.14 against a DC running 1.13 (i.e. no way to reliably invoke id against a trusted domain account). Sometimes the command will return a result, and sometimes it will not. No result or missing groups? Looking at nss debug logs it appears that a duplicate fqdn is being appended to the nss query as show here (as @bsdad.uchicago.edu at bsdad.uchicago.edu). This lookup fails. Yes, this is wrong, can you send me the full NSS and domain logs please? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From prasun.gera at gmail.com Fri Jul 15 17:19:59 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 15 Jul 2016 13:19:59 -0400 Subject: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04 In-Reply-To: <20160715075944.GJ4734@hendrix> References: <20160715075944.GJ4734@hendrix> Message-ID: Ubuntu 12.04 won't work very well out of the box. You can get it to work with the freeipa and sssd ppas, but you'll still need some small hacks on top of it. 14.04 is much better, and 16.04 is presumably the best in terms of things working out of the box. On Fri, Jul 15, 2016 at 3:59 AM, Jakub Hrozek wrote: > On Fri, Jul 15, 2016 at 11:41:03AM +0530, Visakh MV wrote: > > Hi Team, > > > > I forgot to describe the actual requirement on IPA client machines, which > > we needs to configure client machine SUDO privilege from FreeIPA server > for > > IPA Server users. after configuring client machines can able to login as > a > > IPA user but unable to give sudo privilege from. Please revert back your > > kind response > > We don't have any special Ubuntu guide, the client setup should be the > same as on RHEL though, just ipa-client-install. > > About sudo, I don't know what sssd version there is on Ubuntu 12, but > if it's an old version (<1.9) you might need to configure > sudo_provider=ldap. With more recent versions, sudo_provider=ipa is > already included. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Fri Jul 15 18:45:03 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 15 Jul 2016 18:45:03 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding In-Reply-To: <315DBF50-976A-45FE-9F4F-1AF44C1DAE51@high5games.com> References: <315DBF50-976A-45FE-9F4F-1AF44C1DAE51@high5games.com> Message-ID: <89FADA60-1922-40D3-9232-8DAB5A3F0987@high5games.com> There was a solution: explicitly disable DNSSEC in /etc/named.conf on all IPA masters/replicas and restart the named-pkcs11 service. After that, zone forwarding worked as expected. Thanks, Dan [cid:image001.jpg at 01D1DEA7.77DC3540] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Friday, July 15, 2016 at 12:10 To: "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding To give this a little more context, I've tried this: [root at ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA' failed DNSSEC validation on server 10.55.10.31. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. Zone name: example2.com. Active zone: TRUE Zone forwarders: 10.55.10.151 Forward policy: only We don't care about DNSSEC validation on the forwarded zone, but we do on the zones that IPA is authoritative for. Thanks, Dan [cid:image002.jpg at 01D1DEA7.77DC3540] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Friday, July 15, 2016 at 11:20 To: "freeipa-users at redhat.com" Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding Hi all, I'm trying to follow the directions (and cautions) from here: http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone (example2.com) and a forwarding address and set the zone to forward-only, no records are returned for hosts like, say, testhost.example2.com. The NS record for the domain is the authoritative nameserver for the example2.com domain (which belongs to someone else), so we don't know why it doesn't return records whereas direct queries against the remote nameserver work fine. Any help with the configuration would be appreciated. Thanks, Dan [cid:image003.jpg at 01D1DEA7.77DC3540] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4334 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 4335 bytes Desc: image003.jpg URL: From linov.suresh at gmail.com Fri Jul 15 20:51:41 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Fri, 15 Jul 2016 16:51:41 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! Message-ID: I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after they have expired? (Master IPA Server), https://access.redhat.com/solutions/643753 but no luck. I have also changed "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn. ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* -b cn=config | grep nsslapd-validate-cert nsslapd-validate-cert: warn Here is my getcert list, [root at caer ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Fri Jul 15 20:53:15 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Fri, 15 Jul 2016 16:53:15 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! Message-ID: I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after they have expired? (Master IPA Server), https://access.redhat.com/solutions/643753 but no luck. I have also changed the directive "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn. ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* -b cn=config | grep nsslapd-validate-cert nsslapd-validate-cert: warn Here is my getcert list, [root at caer ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 15 21:08:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2016 17:08:56 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: Message-ID: <578950E8.6040902@redhat.com> Linov Suresh wrote: > I logged into my IPA master, and found that the cert had expired again, > we renewed these certificates about 18 months ago. > > Our environment is CentOS 6.4 and IPA 3.0.0-26. > > > I followed the Redhat documentation,How do I manually renew Identity > Management (IPA) certificates after they have expired? (Master IPA > Server), https://access.redhat.com/solutions/643753 but no luck. > > > I have also changed the directive "NSSEnforceValidCerts off" in > /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn. > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* > -b cn=config | grep nsslapd-validate-cert > > nsslapd-validate-cert: warn > > Here is my getcert list, > > [root at caer ~]# getcert list It looks like your CA subsystem certificates all renewed successfully it is just the webserver and LDAP certificates that need renewing so that's good. What I'd do is go back in time again to say Jan 20, 2016 and restart certmonger. That should make it retry the renewals. rob From ipa at eecs.wsu.edu Fri Jul 15 23:52:12 2016 From: ipa at eecs.wsu.edu (ipa at eecs.wsu.edu) Date: Fri, 15 Jul 2016 16:52:12 -0700 (PDT) Subject: [Freeipa-users] HowTo/LDAP Message-ID: <1644775161.2489285.1468626732046.JavaMail.zimbra@eecs.wsu.edu> Hello, I was wondering,is this still valid: http://www.freeipa.org/page/HowTo/LDAP I am using these rpms: ipa-client-4.2.0-15.el7.centos.x86_64 python-iniparse-0.4-9.el7.noarch device-mapper-multipath-libs-0.4.9-85.el7.x86_64 libipa_hbac-1.13.0-40.el7.x86_64 python-libipa_hbac-1.13.0-40.el7.x86_64 device-mapper-multipath-0.4.9-85.el7.x86_64 sssd-ipa-1.13.0-40.el7.x86_64 ipa-server-4.2.0-15.el7.centos.x86_64 ipa-python-4.2.0-15.el7.centos.x86_64 ipa-admintools-4.2.0-15.el7.centos.x86_64 I am trying to add a service account to do simple auth from a Netapp so it can get uid/gid for NFS v3 automounting, ultimately. I was using this: https://www.redhat.com/archives/freeipa-users/2011-December/msg00084.html and this: https://www.redhat.com/archives/freeipa-users/2011-December/msg00090.html this kinda worked: dn: uid=devfs1,cn=sysaccounts,cn=etc,dc=dev,dc=my,dc=domain changetype: add objectclass: account objectclass: simplesecurityobject uid: devfs1 userPassword: mylamepassword passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D Thanks, -al From martin at stefany.eu Sat Jul 16 08:19:19 2016 From: martin at stefany.eu (=?UTF-8?Q?Martin_=c5=a0tefany?=) Date: Sat, 16 Jul 2016 10:19:19 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: Hello Sumit, seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD logs, but same problem: 'Error looking up public keys'. selinux-policy-3.13.1-191.fc24.3.noarch selinux-policy-targeted-3.13.1-191.fc24.3.noarch sssd-1.13.4-3.fc24.x86_64 Using debug_level 0x0250 :: $ /usr/bin/sss_ssh_authorizedkeys martin Error looking up public keys ==> sssd_ssh.log <== (Sat Jul 16 10:15:51 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Sat Jul 16 10:15:51 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Sat Jul 16 10:15:51 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'martin' matched without domain, user is martin ==> sssd_stefany.eu.log <== (Sat Jul 16 10:15:51 2016) [sssd[be[stefany.eu]]] [be_get_account_info] (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] ==> sssd_ssh.log <== (Sat Jul 16 10:15:51 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed. (Sat Jul 16 10:15:51 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed. Please, any suggestions? Martin On 6/22/2016 5:01 PM, Sumit Bose wrote: > On Tue, Jun 21, 2016 at 01:23:11PM +0200, Martin ?tefany wrote: >> On 6/21/2016 1:16 PM, Sumit Bose wrote: >>> On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin ?tefany wrote: >>>> Hello Sumit, >>>> >>>> putting SELinux to permissive mode and/or enabling nis_enabled seboolean >>>> seemed not help at all. And you are right, my user has userCertificate >>>> (needed for secure libvirtd connection). >>>> >>>> >>>> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >>>> Error looking up public keys >>>> [martin at desk2 ~]$ sudo setenforce 0 >>>> [sudo] password for martin: >>>> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >>>> Error looking up public keys >>>> [martin at desk2 ~]$ sudo setsebool nis_enabled on >>>> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >>>> Error looking up public keys >>>> [martin at desk2 ~]$ sudo sss_cache -E >>>> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >>>> Error looking up public keys >>>> >>>> [have a coffee... really] >>>> >>>> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >>>> ssh-rsa AAA... >>>> ssh-rsa AAA... >>>> ssh-ed25519 AAA... >>>> ssh-rsa AAA... >>>> ssh-rsa AAA... >>> >>> If I understand it correctly you get the same result as on CentOS, >>> including the unexpected key derived from the certificate, after waiting >>> for some time? Can you send the sssd_ssh.log with the sequence from >>> above (if you prefer directly to me) so that I can check why it failed >>> in the first attempt and later succeeds. >>> >>> bye, >>> Sumit >>> >> >> Hi, >> >> yes, now the results are the same, including the originally unexpected key >> from certificate, and actual SSH pubkey auth finally works. >> >> I would send you sssd_ssh.log, but it's empty - I have turned off >> debug_level sooner, sorry. :( >> >> Isn't it the case that sss_cache -E takes few seconds to actually expire the >> cache entries? > > sss_cache -E itself should be fast, but the next requests like > sss_ssh_authorizedkeys would need a bit longer because SSSD must now > read fresh data from the server. Nevertheless it should take some > seconds, maybe 10-20 with lots of group-memberships, but note as much as > a coffee break. > > bye, > Sumit > >> >> Thank you. >> Martin >> >>>> >>>> >>>> RH bug for selinux-policy: >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1348447 >>>> >>>> Thank you! >>>> Martin >>>> >>>> >>>> On 6/21/2016 9:43 AM, Sumit Bose wrote: >>>>> On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin ?tefany wrote: >>>>>> Hello all, >>>>>> >>>>>> I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I >>>>>> figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems >>>>>> while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA >>>>>> domain. I will appreciate any help whatsoever. >>>>>> IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest >>>>>> updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest >>>>>> updates. >>>>>> >>>>>> I started by looking to the journal: >>>>>> j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection >>>>>> from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22 >>>>>> ... >>>>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect >>>>>> } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 >>>>>> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 >>>>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 >>>>>> success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 >>>>>> ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>>> sgid=0 >>>>> >>>>> Does the user by chance have a certificate added to his entry including >>>>> a link to an OCSP responder? >>>>> >>>>> Recent version of SSSD have the ability to generate public ssh-keys from >>>>> valid certificates added to the user entry to support the ssh Smartcard >>>>> feature (see e.g. the -I option in the ssh man page for details or >>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport) >>>>> >>>>> While trying to validate thecertificate via OCSP sssd_ssh must connect >>>>> to a http server. To allow this setting the 'nis_enabled' SELinux >>>>> boolean to true should help. >>>>> >>>>> Nevertheless, since this should work by default, it would be nice if you >>>>> can open a bugzilla ticket for the SELinux policy on F23 to allow this >>>>> by default. >>>>> >>>>> HTH >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> ... >>>>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect >>>>>> } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 >>>>>> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 >>>>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 >>>>>> success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 >>>>>> ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>>>> sgid=0 >>>>>> ... >>>>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand >>>>>> /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 >>>>>> ... >>>>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin >>>>>> from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped] >>>>>> ... >>>>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect >>>>>> from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods >>>>>> available [preauth] >>>>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx >>>>>> port 22543 [preauth] >>>>>> >>>>>> which was weird, because the same key would nicely work elsewhere (on any other >>>>>> CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) >>>>>> >>>>>> I have tried putting SELinux into permissive mode, or generating custom module >>>>>> with custom policy allowing this, but it doesn't help, and even tcpdump capture >>>>>> doesn't capture anything when such connection to 'somewhere' port 80 is opened. >>>>>> >>>>>> I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. >>>>>> Fedora 23: >>>>>> # sss_ssh_authorizedkeys martin >>>>>> Error looking up public keys >>>>>> >>>>>> CentOS 7.2: >>>>>> # sss_ssh_authorizedkeys martin >>>>>> ssh-rsa AAA... >>>>>> ssh-rsa AAA... >>>>>> ssh-ed25519 AAA... >>>>>> ssh-rsa AAA... >>>>>> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in >>>>>> LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present >>>>>> in dc=stefany,dc=eu tree or in compat tree >>>>>> >>>>>> So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and >>>>>> CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these >>>>>> failures: >>>>>> ==> /var/log/sssd/sssd_ssh.log <== >>>>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received >>>>>> client version [0]. >>>>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered >>>>>> version [0]. >>>>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): >>>>>> name 'martin' matched without domain, user is martin >>>>>> >>>>>> ==> /var/log/sssd/sssd_stefany.eu.log <== >>>>>> (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] >>>>>> (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] >>>>>> >>>>>> ==> /var/log/sssd/sssd_ssh.log <== >>>>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): >>>>>> cert_to_ssh_key failed. >>>>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): >>>>>> decode_and_add_base64_data failed. >>>>>> >>>>>> And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So >>>>>> Fedora 23 fails because of some extra validation in SSSD... >>>>>> >>>>>> I can't tell where this invalid base64 stuff is coming from, and yes, I have >>>>>> stopped both IPA servers, run sss_cache -E on both of them and on clients, and >>>>>> started IPA servers serially one by one, the invalid key is still there. >>>>>> >>>>>> I have a plan B to delete the account, put it back and see if it cleans up, but >>>>>> I would prefer to figure out what is actually wrong here and what's introducing >>>>>> the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere >>>>>> >>>>>> Thank you in advance! >>>>>> >>>>>> Kind regards, >>>>>> Martin >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> -- >>>> -- >>>> Martin >> >> -- >> -- >> Martin -- -- Martin From abokovoy at redhat.com Sat Jul 16 10:07:08 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 16 Jul 2016 13:07:08 +0300 Subject: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding In-Reply-To: <89FADA60-1922-40D3-9232-8DAB5A3F0987@high5games.com> References: <315DBF50-976A-45FE-9F4F-1AF44C1DAE51@high5games.com> <89FADA60-1922-40D3-9232-8DAB5A3F0987@high5games.com> Message-ID: <20160716100708.cfysluf6u6d5s3ah@redhat.com> On Fri, 15 Jul 2016, Dan.Finkelstein at high5games.com wrote: >There was a solution: explicitly disable DNSSEC in /etc/named.conf on >all IPA masters/replicas and restart the named-pkcs11 service. After >that, zone forwarding worked as expected. If your DNS upstreams don't provide DNSSEC, it is enough to disable dnssec validation in named.conf. -- / Alexander Bokovoy From lslebodn at redhat.com Sat Jul 16 13:37:41 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 16 Jul 2016 15:37:41 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160716133740.GA16185@10.4.128.1> On (16/07/16 10:19), Martin ?tefany wrote: >Hello Sumit, > >seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD >logs, but same problem: 'Error looking up public keys'. > >selinux-policy-3.13.1-191.fc24.3.noarch >selinux-policy-targeted-3.13.1-191.fc24.3.noarch >sssd-1.13.4-3.fc24.x86_64 > Fedora 23 and fedora 24 has the same version of sssd and almost the same version of openssh. I have no idea what coudl broke it it there are not any AVCs. >Using debug_level 0x0250 :: > For troubleshooting, it would be better to see all debug messages. (debug_level = 0xfff0) >$ /usr/bin/sss_ssh_authorizedkeys martin >Error looking up public keys > And try to run strace with sss_ssh_authorizedkeys LS From rcritten at redhat.com Sat Jul 16 15:50:47 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 16 Jul 2016 11:50:47 -0400 Subject: [Freeipa-users] HowTo/LDAP In-Reply-To: <1644775161.2489285.1468626732046.JavaMail.zimbra@eecs.wsu.edu> References: <1644775161.2489285.1468626732046.JavaMail.zimbra@eecs.wsu.edu> Message-ID: <578A57D7.1000900@redhat.com> ipa at eecs.wsu.edu wrote: > Hello, > I was wondering,is this still valid: > http://www.freeipa.org/page/HowTo/LDAP > > I am using these rpms: > ipa-client-4.2.0-15.el7.centos.x86_64 > python-iniparse-0.4-9.el7.noarch > device-mapper-multipath-libs-0.4.9-85.el7.x86_64 > libipa_hbac-1.13.0-40.el7.x86_64 > python-libipa_hbac-1.13.0-40.el7.x86_64 > device-mapper-multipath-0.4.9-85.el7.x86_64 > sssd-ipa-1.13.0-40.el7.x86_64 > ipa-server-4.2.0-15.el7.centos.x86_64 > ipa-python-4.2.0-15.el7.centos.x86_64 > ipa-admintools-4.2.0-15.el7.centos.x86_64 > > I am trying to add a service account to do simple auth from > a Netapp so it can get uid/gid for NFS v3 automounting, > ultimately. > > I was using this: > https://www.redhat.com/archives/freeipa-users/2011-December/msg00084.html > > and this: > https://www.redhat.com/archives/freeipa-users/2011-December/msg00090.html > > this kinda worked: > dn: uid=devfs1,cn=sysaccounts,cn=etc,dc=dev,dc=my,dc=domain > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: devfs1 > userPassword: mylamepassword > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > > ^D More details are needed on what kinda works and what doesn't work. rob From peter at pakos.uk Sat Jul 16 21:19:13 2016 From: peter at pakos.uk (Peter Pakos) Date: Sat, 16 Jul 2016 22:19:13 +0100 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups Message-ID: Hi, I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups. Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend. It works great, id shows all my secondary groups: # id peter.pakos uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow) After re-configuring sssd to use FreeIPA's LDAP directory, id is only showing primary group, the secondary groups are missing: # id peter.pakos uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering) Similarly, getent is not showing group members: # getent group engineering engineering:*:511: Environment: # cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 This is an example sssd.conf file I'm using in my tests: [domain/ipa.wandisco.com] ldap_tls_reqcert = demand ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://shdc01.ipa.wandisco.com, ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com, ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam config_file_version = 2 domains = ipa.wandisco.com [nss] [pam] [sudo] [autofs] [ssh] Am I missing anything in the sssd configuration? Any advice would be greatly appreciated. -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsullivan2 at bsd.uchicago.edu Sun Jul 17 02:38:46 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Sun, 17 Jul 2016 02:38:46 +0000 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: References: Message-ID: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> Have you tried different settings for ldap_schema (should be easy to test)? http://linux.die.net/man/5/sssd-ldap Dan On Jul 16, 2016, at 4:19 PM, Peter Pakos > wrote: Hi, I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups. Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend. It works great, id shows all my secondary groups: # id peter.pakos uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow) After re-configuring sssd to use FreeIPA's LDAP directory, id is only showing primary group, the secondary groups are missing: # id peter.pakos uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering) Similarly, getent is not showing group members: # getent group engineering engineering:*:511: Environment: # cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 This is an example sssd.conf file I'm using in my tests: [domain/ipa.wandisco.com] ldap_tls_reqcert = demand ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://shdc01.ipa.wandisco.com, ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com, ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam config_file_version = 2 domains = ipa.wandisco.com [nss] [pam] [sudo] [autofs] [ssh] Am I missing anything in the sssd configuration? Any advice would be greatly appreciated. -- Kind regards, Peter Pakos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Sun Jul 17 02:48:49 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Sun, 17 Jul 2016 02:48:49 +0000 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> Message-ID: Also, you also might be able to tweak ldap_user_member_of, if you login to a DC and kinit to an IPA user and then ldap query, you should be able to get the LDIF record for a user, i.e. 1) kinit s.cri.ipa-idprovisioner at IPA.CRI.UCHICAGO.EDU 2) ldapsearch -x -b dc=ipa,dc=cri,dc=uchicago,dc=edu Based on that you should be able to tune your LDAP parameters for SSSD. Out of curousity is there any reason you are not using the IPA provider instead of LDAP (in SSSD)? Dan On Jul 16, 2016, at 9:38 PM, Sullivan, Daniel [AAA] > wrote: Have you tried different settings for ldap_schema (should be easy to test)? http://linux.die.net/man/5/sssd-ldap Dan On Jul 16, 2016, at 4:19 PM, Peter Pakos > wrote: Hi, I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups. Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend. It works great, id shows all my secondary groups: # id peter.pakos uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow) After re-configuring sssd to use FreeIPA's LDAP directory, id is only showing primary group, the secondary groups are missing: # id peter.pakos uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering) Similarly, getent is not showing group members: # getent group engineering engineering:*:511: Environment: # cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 This is an example sssd.conf file I'm using in my tests: [domain/ipa.wandisco.com] ldap_tls_reqcert = demand ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://shdc01.ipa.wandisco.com, ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com, ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam config_file_version = 2 domains = ipa.wandisco.com [nss] [pam] [sudo] [autofs] [ssh] Am I missing anything in the sssd configuration? Any advice would be greatly appreciated. -- Kind regards, Peter Pakos -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From peter at pakos.uk Sun Jul 17 08:00:54 2016 From: peter at pakos.uk (Peter Pakos) Date: Sun, 17 Jul 2016 09:00:54 +0100 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> Message-ID: I did try setting ldap_schema to rfc2307 (I think this is the default setting) rfc2307bis and ipa, but it didn't make any difference. I also tried setting ldap_group_member = member ldap_user_member_of = memberOf but again, it made no difference. On 17 July 2016 at 03:38, Sullivan, Daniel [AAA] < dsullivan2 at bsd.uchicago.edu> wrote: > Have you tried different settings for ldap_schema (should be easy to test)? > > http://linux.die.net/man/5/sssd-ldap > > Dan > > -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun Jul 17 08:03:34 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 17 Jul 2016 11:03:34 +0300 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> Message-ID: <20160717080334.w3jc424log3nsw33@redhat.com> On Sun, 17 Jul 2016, Sullivan, Daniel [AAA] wrote: >Have you tried different settings for ldap_schema (should be easy to test)? > >http://linux.die.net/man/5/sssd-ldap > >Dan > >On Jul 16, 2016, at 4:19 PM, Peter Pakos > wrote: > >Hi, > >I'm about to move our FreeIPA platform into production on Monday but >I've just noticed a worrying issue with sssd - getent group is not >showing group members and id is not showing secondary groups. > >Currently all our servers are configured with sssd using our old LDAP >(389-ds) as a backend. It works great, id shows all my secondary >groups: > ># id peter.pakos >uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow) > >After re-configuring sssd to use FreeIPA's LDAP directory, id is only >showing primary group, the secondary groups are missing: > ># id peter.pakos >uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering) > >Similarly, getent is not showing group members: > ># getent group engineering >engineering:*:511: Your sssd configuration does not mention what DN is used to bind to the LDAP server to retrieve the data. This means you are using anonymous bind. Since FreeIPA 4.0 there is a number of attributes that are not available to anonymous binds, including 'member' and 'memberof'. Thus, SSSD does not see membership information when using anonymous binds. In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP server, thus all binds are authenticated and 'member'/'memberof' attributes are accessible. So you either need to enroll machines to IPA and switch your sssd.conf to use 'ipa' providers instead of ldap, or define a system account that can be used to bind to LDAP by your sssd clients. In short term perspective that would probably be an easier fix. For the latter see sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options. > >Environment: > ># cat /etc/redhat-release >CentOS Linux release 7.2.1511 (Core) ># ipa --version >VERSION: 4.2.0, API_VERSION: 2.156 > >This is an example sssd.conf file I'm using in my tests: > > >[domain/ipa.wandisco.com] >ldap_tls_reqcert = demand >ldap_id_use_start_tls = True >cache_credentials = True >ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com >ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com >ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com >id_provider = ldap >auth_provider = ldap >chpass_provider = ldap >ldap_uri = ldaps://shdc01.ipa.wandisco.com, ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com, ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com >ldap_tls_cacert = /etc/ipa/ca.crt > >[sssd] >services = nss, pam >config_file_version = 2 >domains = ipa.wandisco.com > >[nss] > >[pam] > >[sudo] > >[autofs] > >[ssh] > >Am I missing anything in the sssd configuration? > >Any advice would be greatly appreciated. > >-- >Kind regards, > Peter Pakos >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project > >******************************************************************************** >This e-mail is intended only for the use of the individual or entity to which >it is addressed and may contain information that is privileged and confidential. >If the reader of this e-mail message is not the intended recipient, you are >hereby notified that any dissemination, distribution or copying of this >communication is prohibited. If you have received this e-mail in error, please >notify the sender and destroy all copies of the transmittal. > >Thank you >University of Chicago Medicine and Biological Sciences >******************************************************************************** > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From peter at pakos.uk Sun Jul 17 08:16:33 2016 From: peter at pakos.uk (Peter Pakos) Date: Sun, 17 Jul 2016 09:16:33 +0100 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> Message-ID: On 17 July 2016 at 03:48, Sullivan, Daniel [AAA] < dsullivan2 at bsd.uchicago.edu> wrote: > > Out of curousity is there any reason you are not using the IPA provider > instead of LDAP (in SSSD)? > We initially want to switch hundreds of servers via Puppet change. At a later stage we'll look at joining them using ipa-client. Quick update, I can see group members and list of secondary groups when I use compat tree: ldap_search_base = cn=compat,dc=ipa,dc=wandisco,dc=com ldap_group_search_base = cn=groups,cn=compat,dc=ipa,dc=wandisco,dc=com ldap_user_search_base = cn=users,cn=compat,dc=ipa,dc=wandisco,dc=com Not sure if using compat tree is the best approach here though. -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pakos.uk Sun Jul 17 08:17:45 2016 From: peter at pakos.uk (Peter Pakos) Date: Sun, 17 Jul 2016 09:17:45 +0100 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: <20160717080334.w3jc424log3nsw33@redhat.com> References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> <20160717080334.w3jc424log3nsw33@redhat.com> Message-ID: On 17 July 2016 at 09:03, Alexander Bokovoy wrote: > > Your sssd configuration does not mention what DN is used to bind to the > LDAP server to retrieve the data. This means you are using anonymous > bind. Since FreeIPA 4.0 there is a number of attributes that are not > available to anonymous binds, including 'member' and 'memberof'. Thus, > SSSD does not see membership information when using anonymous binds. > > In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos > principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP > server, thus all binds are authenticated and 'member'/'memberof' > attributes are accessible. > > So you either need to enroll machines to IPA and switch your sssd.conf > to use 'ipa' providers instead of ldap, or define a system account that > can be used to bind to LDAP by your sssd clients. In short term > perspective that would probably be an easier fix. For the latter see > sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options. Interesting, I'll look into this and report back. -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From bpk678 at gmail.com Sun Jul 17 20:36:25 2016 From: bpk678 at gmail.com (Brendan Kearney) Date: Sun, 17 Jul 2016 16:36:25 -0400 Subject: [Freeipa-users] non-authoritative tricks for DNS resolution Message-ID: <578BEC49.6060705@gmail.com> i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. any pointers would be greatly appreciated. thanks, brendan From peter at pakos.uk Sun Jul 17 21:00:28 2016 From: peter at pakos.uk (Peter Pakos) Date: Sun, 17 Jul 2016 22:00:28 +0100 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: <20160717080334.w3jc424log3nsw33@redhat.com> References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> <20160717080334.w3jc424log3nsw33@redhat.com> Message-ID: On 17 July 2016 at 09:03, Alexander Bokovoy wrote: > Your sssd configuration does not mention what DN is used to bind to the > LDAP server to retrieve the data. This means you are using anonymous > bind. Since FreeIPA 4.0 there is a number of attributes that are not > available to anonymous binds, including 'member' and 'memberof'. Thus, > SSSD does not see membership information when using anonymous binds. > > In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos > principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP > server, thus all binds are authenticated and 'member'/'memberof' > attributes are accessible. > > So you either need to enroll machines to IPA and switch your sssd.conf > to use 'ipa' providers instead of ldap, or define a system account that > can be used to bind to LDAP by your sssd clients. In short term > perspective that would probably be an easier fix. For the latter see > sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options. Bingo! Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for us: ldap_schema = rfc2307bis ldap_default_bind_dn = *dn* ldap_default_authtok = *password* Many thanks! -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at stefany.eu Sun Jul 17 21:21:34 2016 From: martin at stefany.eu (Martin =?UTF-8?Q?=C5=A0tefany?=) Date: Sun, 17 Jul 2016 23:21:34 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160716133740.GA16185@10.4.128.1> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> Message-ID: <1468790494.3762.1.camel@stefany.eu> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: > On (16/07/16 10:19), Martin ?tefany wrote: > > > > Hello Sumit, > > > > seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD > > logs, but same problem: 'Error looking up public keys'. > > > > selinux-policy-3.13.1-191.fc24.3.noarch > > selinux-policy-targeted-3.13.1-191.fc24.3.noarch > > sssd-1.13.4-3.fc24.x86_64 > > > Fedora 23 and fedora 24 has the same version of sssd > and almost the same version of openssh. > I have no idea what coudl broke it it there are not any AVCs. > > > > > Using debug_level 0x0250 :: > > > For troubleshooting, it would be better to see all > debug messages. (debug_level = 0xfff0) Hello Lukas, thanks for replying on this, here are debug_level = 0xfff0 messages (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[1293400001] egid[1293400001] pid[15966]. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x5617ca096280][18] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x5617ca096280][18] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x5617ca096280][18] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x5617ca096280][18] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [martin][] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'martin' matched without domain, user is martin (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [martin] from [] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x5617c96301a0:1:martin at stefany.eu] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [stefany.eu][0x1][BE_REQ_USER][1][name=martin] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x5617ca09bb60 (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x5617c96301a0:1:martin at stefany.eu] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x5617ca09bb60 (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x5617ca09a300 (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [martin at stefany.eu] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x5617ca0a4370 (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x5617ca0a4430 (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x5617ca0a4370 "ltdb_callback" (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x5617ca0a4430 "ltdb_timeout" (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x5617ca0a4370 "ltdb_callback" (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000): Mssing element, nothing to do. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000): Mssing element, nothing to do. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): CERT_VerifyCertificateNow failed [-8179]. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed. (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal error, killing connection! (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0x5617ca096280][18] (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x5617c96301a0:1:martin at stefany.eu] > > > > $ /usr/bin/sss_ssh_authorizedkeys martin > > Error looking up public keys > > > And try to run strace with sss_ssh_authorizedkeys > > LS Martin From datakid at gmail.com Sun Jul 17 23:17:06 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Mon, 18 Jul 2016 09:17:06 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160715075629.GI4734@hendrix> References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> Message-ID: Previously we did have the default_domain_suffix set, but we had to unset it. I can't remember why we had to - something to do with ownership/permissions and our filesystem (IBM v7000) not playing nice iirc. We really wanted to use the dds => the researchers are complaining of broken brains due to the new concept of "ssh user1 at domain.com@ipa.domain.com". I will need to teach ssh config. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 17:56, Jakub Hrozek wrote: > On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: > > I've updated all the relevant hosts and the FreeIPA server to the COPR > sssd > > 1.14.0 release and the problem seems to have disappeared. > > Great, but please keep an eye on the machine, the 1.14 branch is still > kindof fresh and we did a lot of changes. > > About the HBAC issue, did you use the default_domain_suffix previously? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Sun Jul 17 23:33:35 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Mon, 18 Jul 2016 09:33:35 +1000 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names In-Reply-To: References: <20160715065943.GA30895@10.4.128.1> <20160715080523.GK4734@hendrix> Message-ID: Ok, I've just spoken with my colleague that has been involved in the IPA roll out, and he said he thought that override_space wasn't compatible with ID overrides? Either way, since we have a working system we are reticent to make too many changes - soon we will have a test system in place and I will be able to check it then? Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 20:17, Lachlan Musicman wrote: > Wont be able to check until Monday morning (Australia's weekend has > started) but can check, yes. > > And the reason I reported to you is because you will have more weight with > selinux bug tickets than I would. > > cheers > L. > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 15 July 2016 at 18:05, Jakub Hrozek wrote: > >> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote: >> > On (15/07/16 12:56), Lachlan Musicman wrote: >> > >This line: >> > > >> > >We have SELinux disabled on all of our servers, but we hadn't disabled >> this >> > >check in sssd.conf. So we enabled it in sssd.conf and everything worked >> > >fine. >> > > >> > >Should read that we *disabled* selinux. >> > > >> > >selinux_provider = none >> > Could you also try another solution? >> > put "override_space = _" into "sssd" section in sssd.conf >> > and restart sssd. >> > >> > As a result of this space will be replaced with underscore >> > and libsemanage should not complain. >> > >> > @see man sssd.conf -> override_space >> >> This is either a bug in semenage, we should file one and ask the >> semanage developers if there is a proper way to quote the spaces. >> >> But yes, selinux_provider=none would disable this area of code. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsullivan2 at bsd.uchicago.edu Mon Jul 18 01:25:31 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Mon, 18 Jul 2016 01:25:31 +0000 Subject: [Freeipa-users] non-authoritative tricks for DNS resolution In-Reply-To: <578BEC49.6060705@gmail.com> References: <578BEC49.6060705@gmail.com> Message-ID: <9521194D-D168-41D4-B588-1B18578F70D1@bsd.uchicago.edu> Would a DNS view (bind) work? http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same interface as it traverses NAT). This is known as DNS doctoring, at least in the world of Cisco. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html Let me know if either of those will solve your problem. If not, I might have a misunderstanding of what you are asking. Dan > On Jul 17, 2016, at 3:36 PM, Brendan Kearney wrote: > > i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. > > say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. > > i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. > > any pointers would be greatly appreciated. > > thanks, > > brendan > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From linov.suresh at gmail.com Mon Jul 18 03:45:04 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Sun, 17 Jul 2016 23:45:04 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <578950E8.6040902@redhat.com> References: <578950E8.6040902@redhat.com> Message-ID: Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and certmonger. Look like certificates were renewed. But I'm getting a different error now, *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ".* [root at caer ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-07-18 15:54:36 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-07-18 15:54:52 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-07-18 15:55:04 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " TELOIP.NET" track: yes auto-renew: yes [root at caer ~]# Your help is highly appreciated! On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> I logged into my IPA master, and found that the cert had expired again, >> we renewed these certificates about 18 months ago. >> >> Our environment is CentOS 6.4 and IPA 3.0.0-26. >> >> >> I followed the Redhat documentation,How do I manually renew Identity >> Management (IPA) certificates after they have expired? (Master IPA >> Server), https://access.redhat.com/solutions/643753 but no luck. >> >> >> I have also changed the directive "NSSEnforceValidCerts off" in >> /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn. >> >> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* >> -b cn=config | grep nsslapd-validate-cert >> >> nsslapd-validate-cert: warn >> >> Here is my getcert list, >> >> [root at caer ~]# getcert list >> > > It looks like your CA subsystem certificates all renewed successfully it > is just the webserver and LDAP certificates that need renewing so that's > good. > > What I'd do is go back in time again to say Jan 20, 2016 and restart > certmonger. That should make it retry the renewals. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Jul 18 07:50:54 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 18 Jul 2016 09:50:54 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <1468790494.3762.1.camel@stefany.eu> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> <1468790494.3762.1.camel@stefany.eu> Message-ID: <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin ?tefany wrote: > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: > > On (16/07/16 10:19), Martin ?tefany wrote: > > > > > > Hello Sumit, > > > > > > seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD > > > logs, but same problem: 'Error looking up public keys'. > > > > > > selinux-policy-3.13.1-191.fc24.3.noarch > > > selinux-policy-targeted-3.13.1-191.fc24.3.noarch > > > sssd-1.13.4-3.fc24.x86_64 > > > > > Fedora 23 and fedora 24 has the same version of sssd > > and almost the same version of openssh. > > I have no idea what coudl broke it it there are not any AVCs. > > > > > > > > Using debug_level 0x0250 :: > > > > > For troubleshooting, it would be better to see all > > debug messages. (debug_level = 0xfff0) > > Hello Lukas, > > thanks for replying on this, here are debug_level = 0xfff0 messages > ... > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): > CERT_VerifyCertificateNow failed [-8179]. > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): > cert_to_ssh_key failed. -8179 translates to "Peer's certificate issuer is not recognized." (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html). This means the CA certificate which signed the certificate on the Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD. Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb, this might be the reason why you see this with F24. To fix this please either add the needed CA certificates to /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA certificates to validate the Smartcard certificate. I'm working on a fix for SSSD to handle handle this change automatically, but unfortunately it is not ready yet. HTH bye, Sumit > > > > > > > $ /usr/bin/sss_ssh_authorizedkeys martin > > > Error looking up public keys > > > > > And try to run strace with sss_ssh_authorizedkeys > > > > LS > > Martin From jhrozek at redhat.com Mon Jul 18 08:12:29 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2016 10:12:29 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> Message-ID: <20160718081229.GT4734@hendrix> On Mon, Jul 18, 2016 at 09:17:06AM +1000, Lachlan Musicman wrote: > Previously we did have the default_domain_suffix set, but we had to unset > it. I can't remember why we had to - something to do with > ownership/permissions and our filesystem (IBM v7000) not playing nice iirc. > We really wanted to use the dds => the researchers are complaining of > broken brains due to the new concept of "ssh user1 at domain.com@ipa.domain.com". > I will need to teach ssh config. OK, in the versions before 1.14 it was quite hard (read: impossible) to set short names for trusted users on the clients. On the IDM servers, you should still use long names for output, because that's what the IPA plugins expect, but on the clients, it should be possible to set shortnames with the full_name_format. From jhrozek at redhat.com Mon Jul 18 08:19:10 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2016 10:19:10 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> References: <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> <20160715152011.GQ4734@hendrix> <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> Message-ID: <20160718081910.GU4734@hendrix> On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote: > > Jakub, > > Thank you for replying to me. Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn?t upgrade it because I haven?t had any problems logging into that system yet. That being said: > > Thank you, but did this command return "No such user? ? > > Yes. Whenever this occurs "No such user" is the result from the id command executed on the client. > > If it did, was the user cached previously (iow, was there a successfull > lookup before) ? > > No, this is the first time the user has ever been looked up. As far as I know the user has never been successfully entered into the cache. Similarly, the user has never logged in to the IPA server via an SSSD client. Ah, thank you, if the user has not been cached before, then it's expected that the lookup has nothing to fall back to if the client fails to look up information from the server. > > Here is an example of a failed lookup from a client: > > [root at cri-kcriwebgdp1 problem]# id hahsan > id: hahsan: No such user > > The DC logs for this operation are > NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 > IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 Thank you, I see that there is quite a lot of groups and the lookup takes a bit of time. I wonder if any of the groups the user is a member of are large? If yes (and since moving the cache to tmpfs had helped), I wonder if also using ignore_group_members would mitigate the issue further, like this: subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 These would go into the domain section on the server itself. From jhrozek at redhat.com Mon Jul 18 08:24:34 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2016 10:24:34 +0200 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: References: <3B30333D-E3AC-4695-AA78-25B6AF51DF93@bsd.uchicago.edu> <20160717080334.w3jc424log3nsw33@redhat.com> Message-ID: <20160718082434.GV4734@hendrix> On Sun, Jul 17, 2016 at 10:00:28PM +0100, Peter Pakos wrote: > On 17 July 2016 at 09:03, Alexander Bokovoy wrote: > > > Your sssd configuration does not mention what DN is used to bind to the > > LDAP server to retrieve the data. This means you are using anonymous > > bind. Since FreeIPA 4.0 there is a number of attributes that are not > > available to anonymous binds, including 'member' and 'memberof'. Thus, > > SSSD does not see membership information when using anonymous binds. > > > > In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos > > principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP > > server, thus all binds are authenticated and 'member'/'memberof' > > attributes are accessible. > > > > So you either need to enroll machines to IPA and switch your sssd.conf > > to use 'ipa' providers instead of ldap, or define a system account that > > can be used to bind to LDAP by your sssd clients. In short term > > perspective that would probably be an easier fix. For the latter see > > sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options. > > > Bingo! > > Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for > us: > > ldap_schema = rfc2307bis > ldap_default_bind_dn = *dn* > ldap_default_authtok = *password* > > Many thanks! I'm glad it works now, but why did you choose to use the LDAP back end over the IPA back end? By using LDAP, you gain the ability to not enroll clients with ipa-client-install, but you loose the ease of manageability, HBAC, easy SUDO integration, not to mention you need to put passwords into the config file.. From jhrozek at redhat.com Mon Jul 18 08:26:16 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2016 10:26:16 +0200 Subject: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names In-Reply-To: References: <20160715065943.GA30895@10.4.128.1> <20160715080523.GK4734@hendrix> Message-ID: <20160718082616.GW4734@hendrix> On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote: > Ok, I've just spoken with my colleague that has been involved in the IPA > roll out, and he said he thought that override_space wasn't compatible with > ID overrides? I haven't tested that to be honest. But just using my knowledge of the code as a basis, I would say the two should be compatible, especially with 1.14.0 where we decoupled the output from how we store users. But again, I haven't tested any of this. > > Either way, since we have a working system we are reticent to make too many > changes - soon we will have a test system in place and I will be able to > check it then? selinux_provider=none should be an easy workaround if you don't use the SELinux labels. I still have an item on my todo list to test this locally, I think I will get to that this week. From martin at stefany.eu Mon Jul 18 09:46:10 2016 From: martin at stefany.eu (=?UTF-8?Q?Martin_=c5=a0tefany?=) Date: Mon, 18 Jul 2016 11:46:10 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> <1468790494.3762.1.camel@stefany.eu> <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <47d3f8bf-98bc-34c2-f09c-7cc99da3fc24@stefany.eu> On 7/18/2016 9:50 AM, Sumit Bose wrote: > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin ?tefany wrote: >> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: >>> On (16/07/16 10:19), Martin ?tefany wrote: >>>> >>>> Hello Sumit, >>>> >>>> seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD >>>> logs, but same problem: 'Error looking up public keys'. >>>> >>>> selinux-policy-3.13.1-191.fc24.3.noarch >>>> selinux-policy-targeted-3.13.1-191.fc24.3.noarch >>>> sssd-1.13.4-3.fc24.x86_64 >>>> >>> Fedora 23 and fedora 24 has the same version of sssd >>> and almost the same version of openssh. >>> I have no idea what coudl broke it it there are not any AVCs. >>> >>>> >>>> Using debug_level 0x0250 :: >>>> >>> For troubleshooting, it would be better to see all >>> debug messages. (debug_level = 0xfff0) >> >> Hello Lukas, >> >> thanks for replying on this, here are debug_level = 0xfff0 messages >> > > ... > >> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): >> CERT_VerifyCertificateNow failed [-8179]. >> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): >> cert_to_ssh_key failed. > > -8179 translates to "Peer's certificate issuer is not recognized." > (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html). > This means the CA certificate which signed the certificate on the > Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD. > > Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb, > this might be the reason why you see this with F24. > > To fix this please either add the needed CA certificates to > /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the > [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA > certificates to validate the Smartcard certificate. Thank you! Fixed for now by putting 'ca_db = /etc/ipa/nssdb' to the [ssh] section of sssd.conf, but CA certificate is actually the one from IPA CA, as this SSH key is generated from my userCertificate. Works like a charm. Kind regards, Martin > > I'm working on a fix for SSSD to handle handle this change > automatically, but unfortunately it is not ready yet. > > HTH > > bye, > Sumit > >> >>>> >>>> $ /usr/bin/sss_ssh_authorizedkeys martin >>>> Error looking up public keys >>>> >>> And try to run strace with sss_ssh_authorizedkeys >>> >>> LS >> >> Martin -- -- Martin From pspacek at redhat.com Mon Jul 18 10:12:42 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 18 Jul 2016 12:12:42 +0200 Subject: [Freeipa-users] non-authoritative tricks for DNS resolution In-Reply-To: <9521194D-D168-41D4-B588-1B18578F70D1@bsd.uchicago.edu> References: <578BEC49.6060705@gmail.com> <9521194D-D168-41D4-B588-1B18578F70D1@bsd.uchicago.edu> Message-ID: <0a093d72-8c2a-19a4-54ad-8ab386b023b0@redhat.com> On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: > Would a DNS view (bind) work? > > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm > > Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same interface as it traverses NAT). This is known as DNS doctoring, at least in the world of Cisco. > > http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html > > Let me know if either of those will solve your problem. If not, I might have a misunderstanding of what you are asking. > > Dan > >> On Jul 17, 2016, at 3:36 PM, Brendan Kearney wrote: >> >> i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. >> >> say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. >> >> i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. >> >> any pointers would be greatly appreciated. Background note: All these DNS tricks are hacks to work around IP routing problem in configuration you described. If you really want to use DNS tricks, you can create a DNS zone with name equal to the you want to override and will this zone with A/AAAA record at zone apex (@). The DNS approach has some inherent advantages: 1. All DNS names below the name you want to 'hijack' will not be resolvable in your network. E.g. if the name is hijacked.example.com. then sub-domains like anything.hijacked.example.com. will not be resolvable. 2. Your clients will go securely over VPN if and only if they use your local DNS servers. Any client configured (even accidentally) to use some other DNS server (e.g. public 8.8.8.8) will get the 'public' address and do not tunnel the traffic over VPN. Secure and reliable solution is not to use DNS but solve things on IP layer: On the network gateway, configure IPSec tunnel (or any other VPN) in a way that *the original IP address* is routed over VPN. This does not require any DNS tricks and thus will work regardless of client configuration. I hope it helps. -- Petr^2 Spacek From grantwu at andrew.cmu.edu Fri Jul 15 00:48:14 2016 From: grantwu at andrew.cmu.edu (Grant Wu) Date: Thu, 14 Jul 2016 20:48:14 -0400 Subject: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment In-Reply-To: <375f7afa-d065-207b-6956-5c0f30ea1cd4@redhat.com> References: <375f7afa-d065-207b-6956-5c0f30ea1cd4@redhat.com> Message-ID: Thanks for the information. Do you know if there are any plans to support cross-realm trust with general KDCs? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lsuresh at teloip.com Fri Jul 15 20:42:36 2016 From: lsuresh at teloip.com (Linov Suresh) Date: Fri, 15 Jul 2016 20:42:36 +0000 Subject: [Freeipa-users] IPA certificates expired, please help! Message-ID: I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after they have expired? (Master IPA Server), https://access.redhat.com/solutions/643753 but no luck. I have also changed "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and the nsslapd-validate-cert value is warn. ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* -b cn=config | grep nsslapd-validate-cert nsslapd-validate-cert: warn Here is my getcert list, [root at caer ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Note: I'm seeing two blobs in ipaCert, not sure this is because we already renewed the certificate about 18 months back. [root at caer ~]# certutil -L -d /etc/httpd/alias -n ipaCert -a -----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIBQDANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDI0 MTQwOTQ5WhcNMTcxMDEzMTQwOTQ5WjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1 MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U 2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6 IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUx5/Z pwOfXZQ5KNwC42cBW+Y+bGIwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo dHRwOi8vY2Flci50ZWxvaXAubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTw MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC AQEAGxNLz7EQsdqTEzy1zf1KtpBKLEGdsst2OhzfAuPWQk/ZSVQHyaAgjOirUngG 1ZUmdPhsi+O9UVobLL/yBOnM6HUAsFG+kzk3Tkkfry2+U9goIZgri+LyPuZhK5A1 tczTcBinbSBF0XjJXCt6o3dq1BAf0Z/JazxV9NNDXoV0JHL6gHbZ66rN/ohBeSPB uQSyLhFqZvVXbKw3sIahu9hfwfa+GBoJ7oQ/3sRXGE1iVbxaV8nOjHRbBAgOxgCU XOZ3MshXy3eqMpoyFBcA7F9tKfFrHShL/VSk1W2xugXNQW7e+9vATLGLnmPRslLy 3fN5HM3Wmhjoya3C6rxXPpgGbQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDcTCCAlmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 MjIzMTUzWhcNMTMxMjAzMjIzMTUzWjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1 MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U 2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6 IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZQwgZEwHwYDVR0jBBgwFoAUx5/Z pwOfXZQ5KNwC42cBW+Y+bGIwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNo dHRwOi8vY2Flci50ZWxvaXAubmV0OjkxODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMC BPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA A4IBAQCSH1Qf7pIWL4krYbMvvPqoQddy4A1Rgc4pglhQwVb7UhzFuPoD+IcVk8LJ KCA8mlWKpBw9vnCsbaIB1oIs7aFEvFJVb9G2TUJ/gzcbMlPfDJ1CdoBJgN/QDfqA Az3k3av4U5rJc59KG5taV3nKcSRtLT2qiW939fgDWbUkAoyALlDg+v5kNgPVEvb0 oGBMypFL9LW6CcQJycde8nB6XnBPMFaPrJu4l1pThS7OfBFIwewpd72+JstiaIv5 tKMdREWFwZuiQ9NVX5E9pzTwgbi/9WbKSZgNl58L16zgwnZ0pnndDcNf/FXwwRKP wm1YBfh+UyydiHHl/swLyV84vOXr -----END CERTIFICATE----- Your help is highly appreciated. Regards, Linov Suresh. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsullivan2 at bsd.uchicago.edu Mon Jul 18 11:56:24 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Mon, 18 Jul 2016 11:56:24 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160718081910.GU4734@hendrix> References: <20160713063744.GM24683@hendrix> <349D929A-C926-44F6-AFF7-38206E52EA3F@bsd.uchicago.edu> <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> <20160715152011.GQ4734@hendrix> <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> <20160718081910.GU4734@hendrix> Message-ID: Hi, Jakub, In line with your performance tuning document referenced prior in this thread, I?ve actually already implemented the three configuration changes you specified (prior to identifying this issue). Right now I am focusing on the use case documented below, because as of right now I am unable to get that user populated into a client cache with sssd 1.14, at all. In other cases for individual users (prior to implementing tmpfs for example), it seemed like an initial lookup on a client failed, then subsequent lookups would succeed, presumably as a result of the DC eventually looking up and caching the user. This user (the one I can?t seem to lookup on a client) is a member of a large number of groups, and also some of these groups have longer names with spaces and special characters in them (i.e. $ and . @) I haven?t gone through and checked if one of these groups has a large number of users, primarily because I am able to lookup users that are members of groups with a large number of members (over 1000) already. This is an actual group that this user is a member of, for example: 788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu mailbox) Right now my theory is that the @ in this group name is causing the lookup to fail, as it is used as a character to specify the actual domain of a trusted group, although that has yet to be verified. NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 Here is the full list of groups the user is a member of, from the output of the id command on a DC: uid=339741696(hahsan at bsdad.uchicago.edu) gid=339741696(hahsan at bsdad.uchicago.edu) groups=339741696(hahsan at bsdad.uchicago.edu),788655857(hsd$ kcbd 6260 conference room freebusy read at bsdad.uchicago.edu),788668882(phs phsapps remoteapp default apps at bsdad.uchicago.edu),788670425(phs phsapps notepad2 users at bsdad.uchicago.edu),788670429(phs phsapps cmd users at bsdad.uchicago.edu),339797692(cri-hpc_allusers at bsdad.uchicago.edu),788670440(phs phsapps r v3.2.0 32-bit users at bsdad.uchicago.edu),788672389(phs phsapps remote desktop users at bsdad.uchicago.edu),788655856(hsd$ w230 conference room freebusy read at bsdad.uchicago.edu),788670441(phs phsapps r v3.2.0 64-bit users at bsdad.uchicago.edu),788672413(phs phsapps r v3.2.3 64-bit users at bsdad.uchicago.edu),788670431(phs phsapps file explorer users at bsdad.uchicago.edu),788670428(phs phsapps adobe reader xi users at bsdad.uchicago.edu),788609545(adm-trackitusers at bsdad.uchicago.edu),788615356(hsd$ workstation local login at bsdad.uchicago.edu),339794097(cri-lmem_cri_users at bsdad.uchicago.edu),788670445(phs phsapps taskmgr users at bsdad.uchicago.edu),788624309(hsd$ print at bsdad.uchicago.edu),788670436(phs phsapps notepadplusplus users at bsdad.uchicago.edu),788654299(cri-all_groups at bsdad.uchicago.edu),788670434(phs phsapps notepad users at bsdad.uc hicago.edu),788670438(phs phsapps plink 1.90 users at bsdad.uchicago.edu),788670427(phs phsapps office access 2013 users at bsdad.uchicago.edu),788655855(hsd$ w229 conference room freebusy read at bsdad.uchicago.edu),788635799(adm-sde-clients at bsdad.uchicago.edu),788670439(phs phsapps office powerpoint 2013 user at bsdad.uchicago.edu),788610792(hsd$ all health studies at bsdad.uchicago.edu),788655854(hsd$ n102 conference room freebusy read at bsdad.uchicago.edu),339793627(cri-galaxy_web_users at bsdad.uchicago.edu),788670444(phs phsapps statamp 14 users at bsdad.uchicago.edu),339792922(cri-all_users at bsdad.uchicago.edu),788670442(phs phsapps rstudio users at bsdad.uchicago.edu),788655852(hsd$ freebusy read for all conference rooms at bsdad.uchicago.edu),788600513(domain users at bsdad.uchicago.edu),788670430(phs phsapps office excel 2013 users at bsdad.uchicago.edu),788672414(phs phsapps r v3.2.3 32-bit users at bsdad.uchicago.edu),339800245(cri-ahsan_lab at bsdad.uchicago.edu),788655034(fml$ n108 conference room freebusy read at bsdad.uchicago.edu),788670446(phs phsapps office word 2013 users at bsdad.uchicago.edu),788670437(phs phsapps plink 1.07 users at bsdad.uchicago.edu),788670443(phs phsapps sas 9.4 users at bsdad.uchicago.edu),788610930(hsd$ proof point at bsdad.uchicago.edu),788670432(phs phsapps mmc users at bsdad .uchicago.edu),788670433(phs phsapps mobaxterm users at bsdad.uchicago.edu),788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu mailbox) I am not particularly well versed in deciphering IPA/NSS logs for SSSD, but at first review nothing is blaring, aside from these line in the NSS log, which doesn?t provide much good information: Error: 3, 0, Account info lookup failed Will try to return what we have in cache My goal is to spend at least some time focusing on this today to try and further identify root cause of being unable to lookup this user. I will report back if I find anything meaningful. In the meantime I would appreciate any advisement that could be provided. Thank you for replying to me. Best, Dan Sullivan On Jul 18, 2016, at 3:19 AM, Jakub Hrozek > wrote: On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote: Jakub, Thank you for replying to me. Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn?t upgrade it because I haven?t had any problems logging into that system yet. That being said: Thank you, but did this command return "No such user? ? Yes. Whenever this occurs "No such user" is the result from the id command executed on the client. If it did, was the user cached previously (iow, was there a successfull lookup before) ? No, this is the first time the user has ever been looked up. As far as I know the user has never been successfully entered into the cache. Similarly, the user has never logged in to the IPA server via an SSSD client. Ah, thank you, if the user has not been cached before, then it's expected that the lookup has nothing to fall back to if the client fails to look up information from the server. Here is an example of a failed lookup from a client: [root at cri-kcriwebgdp1 problem]# id hahsan id: hahsan: No such user The DC logs for this operation are NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 Thank you, I see that there is quite a lot of groups and the lookup takes a bit of time. I wonder if any of the groups the user is a member of are large? If yes (and since moving the cache to tmpfs had helped), I wonder if also using ignore_group_members would mitigate the issue further, like this: subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 These would go into the domain section on the server itself. ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From jhrozek at redhat.com Mon Jul 18 13:23:19 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2016 15:23:19 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: References: <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> <20160715152011.GQ4734@hendrix> <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> <20160718081910.GU4734@hendrix> Message-ID: <20160718132319.GC4734@hendrix> On Mon, Jul 18, 2016 at 11:56:24AM +0000, Sullivan, Daniel [AAA] wrote: > Hi, Jakub, > > In line with your performance tuning document referenced prior in this > thread, I?ve actually already implemented the three configuration changes > you specified (prior to identifying this issue). Right now I am focusing on > the use case documented below, because as of right now I am unable to get > that user populated into a client cache with sssd 1.14, at all. In other > cases for individual users (prior to implementing tmpfs for example), it > seemed like an initial lookup on a client failed, then subsequent lookups > would succeed, presumably as a result of the DC eventually looking up and > caching the user. This user (the one I can?t seem to lookup on a client) > is a member of a large number of groups, and also some of these groups > have longer names with spaces and special characters in them (i.e. $ and > . @) I haven?t gone through and checked if one of these groups has a > large number of users, primarily because I am able to lookup users that > are members of groups with a large number of members (over 1000) already. > This is an actual group that this user is a member of, for example: > > 788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu mailbox) > > Right now my theory is that the @ in this group name is causing the lookup to fail, as it is used as a character to specify the actual domain of a trusted group, although that has yet to be verified. Yes, I would say this is the issue, because sssd tries to split the input string into name,domain components according to the re_expression value which tries to match anything before the first @ as a groupname and the rest as the username. Are also users that are not part of this group misbehaving? > > NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 > IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 > > Here is the full list of groups the user is a member of, from the output of the id command on a DC: > > uid=339741696(hahsan at bsdad.uchicago.edu) gid=339741696(hahsan at bsdad.uchicago.edu) groups=339741696(hahsan at bsdad.uchicago.edu),788655857(hsd$ kcbd 6260 conference room freebusy read at bsdad.uchicago.edu),788668882(phs phsapps remoteapp default apps at bsdad.uchicago.edu),788670425(phs phsapps notepad2 users at bsdad.uchicago.edu),788670429(phs phsapps cmd users at bsdad.uchicago.edu),339797692(cri-hpc_allusers at bsdad.uchicago.edu),788670440(phs phsapps r v3.2.0 32-bit users at bsdad.uchicago.edu),788672389(phs phsapps remote desktop users at bsdad.uchicago.edu),788655856(hsd$ w230 conference room freebusy read at bsdad.uchicago.edu),788670441(phs phsapps r v3.2.0 64-bit users at bsdad.uchicago.edu),788672413(phs phsapps r v3.2.3 64-bit users at bsdad.uchicago.edu),788670431(phs phsapps file explorer users at bsdad.uchicago.edu),788670428(phs phsapps adobe reader xi users at bsdad.uchicago.edu),788609545(adm-trackitusers at bsdad.uchicago.edu),788615356(hsd$ workstation local login at bsdad.uchicago.edu),339794097(cri-lmem_cri_users at bsdad.uchicago.edu),788670445(phs phsapps taskmgr users at bsdad.uchicago.edu),788624309(hsd$ print at bsdad.uchicago.edu),788670436(phs phsapps notepadplusplus users at bsdad.uchicago.edu),788654299(cri-all_groups at bsdad.uchicago.edu),788670434(phs phsapps notepad users at bsdad.uchicago.edu),788670438(phs phsapps plink 1.90 users at bsdad.uchicago.edu),788670427(phs phsapps office access 2013 users at bsdad.uchicago.edu),788655855(hsd$ w229 conference room freebusy read at bsdad.uchicago.edu),788635799(adm-sde-clients at bsdad.uchicago.edu),788670439(phs phsapps office powerpoint 2013 user at bsdad.uchicago.edu),788610792(hsd$ all health studies at bsdad.uchicago.edu),788655854(hsd$ n102 conference room freebusy read at bsdad.uchicago.edu),339793627(cri-galaxy_web_users at bsdad.uchicago.edu),788670444(phs phsapps statamp 14 users at bsdad.uchicago.edu),339792922(cri-all_users at bsdad.uchicago.edu),788670442(phs phsapps rstudio users at bsdad.uchicago.edu),788655852(hsd$ freebusy read for all conference rooms at bsdad.uchicago.edu),788600513(domain users at bsdad.uchicago.edu),788670430(phs phsapps office excel 2013 users at bsdad.uchicago.edu),788672414(phs phsapps r v3.2.3 32-bit users at bsdad.uchicago.edu),339800245(cri-ahsan_lab at bsdad.uchicago.edu),788655034(fml$ n108 conference room freebusy read at bsdad.uchicago.edu),788670446(phs phsapps office word 2013 users at bsdad.uchicago.edu),788670437(phs phsapps plink 1.07 users at bsdad.uchicago.edu),788670443(phs phsapps sas 9.4 users at bsdad.uchicago.edu),788610930(hsd$ proof point at bsdad.uchicago.edu),788670432(phs phsapps mmc users at bsdad.uchicago.edu),788670433(phs phsapps mobaxterm users at bsdad.uchicago.edu),788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu mailbox) > > I am not particularly well versed in deciphering IPA/NSS logs for SSSD, > but at first review nothing is blaring, aside from these line in the NSS > log, which doesn?t provide much good information: > > Error: 3, 0, Account info lookup failed > Will try to return what we have in cache > > My goal is to spend at least some time focusing on this today to try and further identify root cause of being unable to lookup this user. I will report back if I find anything meaningful. In the meantime I would appreciate any advisement that could be provided. > > Thank you for replying to me. > > Best, > > Dan Sullivan > > > > > > > > On Jul 18, 2016, at 3:19 AM, Jakub Hrozek > wrote: > > On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote: > > Jakub, > > Thank you for replying to me. Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn?t upgrade it because I haven?t had any problems logging into that system yet. That being said: > > Thank you, but did this command return "No such user? ? > > Yes. Whenever this occurs "No such user" is the result from the id command executed on the client. > > If it did, was the user cached previously (iow, was there a successfull > lookup before) ? > > No, this is the first time the user has ever been looked up. As far as I know the user has never been successfully entered into the cache. Similarly, the user has never logged in to the IPA server via an SSSD client. > > Ah, thank you, if the user has not been cached before, then it's > expected that the lookup has nothing to fall back to if the client fails > to look up information from the server. > > > Here is an example of a failed lookup from a client: > > [root at cri-kcriwebgdp1 problem]# id hahsan > id: hahsan: No such user > > The DC logs for this operation are > NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 > IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 > > Thank you, I see that there is quite a lot of groups and the lookup > takes a bit of time. I wonder if any of the groups the user is a member > of are large? > > If yes (and since moving the cache to tmpfs had helped), I wonder if > also using ignore_group_members would mitigate the issue further, like > this: > > subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > ignore_group_members = True > ldap_purge_cache_timeout = 0 > > These would go into the domain section on the server itself. > > > ******************************************************************************** > This e-mail is intended only for the use of the individual or entity to which > it is addressed and may contain information that is privileged and confidential. > If the reader of this e-mail message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is prohibited. If you have received this e-mail in error, please > notify the sender and destroy all copies of the transmittal. > > Thank you > University of Chicago Medicine and Biological Sciences > ******************************************************************************** From dsullivan2 at bsd.uchicago.edu Mon Jul 18 13:36:30 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Mon, 18 Jul 2016 13:36:30 +0000 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <20160718132319.GC4734@hendrix> References: <167FEB91-AB57-4A81-9F98-1D14298BDAB5@bsd.uchicago.edu> <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> <20160715152011.GQ4734@hendrix> <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> <20160718081910.GU4734@hendrix> <20160718132319.GC4734@hendrix> Message-ID: <67C4B61E-1D21-4BDB-8A3E-C025C69FD3DC@bsd.uchicago.edu> > Are also users that are not part of this group misbehaving? Not that I am aware of. I?ll get you a real answer though. Are there any known workarounds to the @ problem used to transform group names (i.e. a more robust ?override_space? option)? I looked a the doc briefly but can?t find anything. I was thinking maybe could use re_expression to tokenize group names by taking the last token parsed by @ for the domain portion, although this seems kind of hacky, also not sure if it would work. Dan > On Jul 18, 2016, at 8:23 AM, Jakub Hrozek wrote: > > On Mon, Jul 18, 2016 at 11:56:24AM +0000, Sullivan, Daniel [AAA] wrote: >> Hi, Jakub, >> >> In line with your performance tuning document referenced prior in this >> thread, I?ve actually already implemented the three configuration changes >> you specified (prior to identifying this issue). Right now I am focusing on >> the use case documented below, because as of right now I am unable to get >> that user populated into a client cache with sssd 1.14, at all. In other >> cases for individual users (prior to implementing tmpfs for example), it >> seemed like an initial lookup on a client failed, then subsequent lookups >> would succeed, presumably as a result of the DC eventually looking up and >> caching the user. This user (the one I can?t seem to lookup on a client) >> is a member of a large number of groups, and also some of these groups >> have longer names with spaces and special characters in them (i.e. $ and >> . @) I haven?t gone through and checked if one of these groups has a >> large number of users, primarily because I am able to lookup users that >> are members of groups with a large number of members (over 1000) already. >> This is an actual group that this user is a member of, for example: >> >> 788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu mailbox) >> >> Right now my theory is that the @ in this group name is causing the lookup to fail, as it is used as a character to specify the actual domain of a trusted group, although that has yet to be verified. > > Yes, I would say this is the issue, because sssd tries to split the > input string into name,domain components according to the re_expression > value which tries to match anything before the first @ as a groupname > and the rest as the username. > > Are also users that are not part of this group misbehaving? > >> >> NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 >> IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 >> >> Here is the full list of groups the user is a member of, from the output of the id command on a DC: >> >> uid=339741696(hahsan at bsdad.uchicago.edu) gid=339741696(hahsan at bsdad.uchicago.edu) groups=339741696(hahsan at bsdad.uchicago.edu),788655857(hsd$ kcbd 6260 conference room freebusy read at bsdad.uchicago.edu),788668882(phs phsapps remoteapp default apps at bsdad.uchicago.edu),788670425(phs phsapps notepad2 users at bsdad.uchicago.edu),788670429(phs phsapps cmd users at bsdad.uchicago.edu),339797692(cri-hpc_allusers at bsdad.uchicago.edu),788670440(phs phsapps r v3.2.0 32-bit users at bsdad.uchicago.edu),788672389(phs phsapps remote desktop users at bsdad.uchicago.edu),788655856(hsd$ w230 conference room freebusy read at bsdad.uchicago.edu),788670441(phs phsapps r v3.2.0 64-bit users at bsdad.uchicago.edu),788672413(phs phsapps r v3.2.3 64-bit users at bsdad.uchicago.edu),788670431(phs phsapps file explorer users at bsdad.uchicago.edu),788670428(phs phsapps adobe reader xi users at bsdad.uchicago.edu),788609545(adm-trackitusers at bsdad.uchicago.edu),788615356(hsd$ workstation local login at bsdad.uchicago.edu),339794097(cri-lmem_cri_users at bsdad.uchicago.edu),788670445(phs phsapps taskmgr users at bsdad.uchicago.edu),788624309(hsd$ print at bsdad.uchicago.edu),788670436(phs phsapps notepadplusplus users at bsdad.uchicago.edu),788654299(cri-all_groups at bsdad.uchicago.edu),788670434(phs phsapps notepad users at bsdad .uchicago.edu),788670438(phs phsapps plink 1.90 users at bsdad.uchicago.edu),788670427(phs phsapps office access 2013 users at bsdad.uchicago.edu),788655855(hsd$ w229 conference room freebusy read at bsdad.uchicago.edu),788635799(adm-sde-clients at bsdad.uchicago.edu),788670439(phs phsapps office powerpoint 2013 user at bsdad.uchicago.edu),788610792(hsd$ all health studies at bsdad.uchicago.edu),788655854(hsd$ n102 conference room freebusy read at bsdad.uchicago.edu),339793627(cri-galaxy_web_users at bsdad.uchicago.edu),788670444(phs phsapps statamp 14 users at bsdad.uchicago.edu),339792922(cri-all_users at bsdad.uchicago.edu),788670442(phs phsapps rstudio users at bsdad.uchicago.edu),788655852(hsd$ freebusy read for all conference rooms at bsdad.uchicago.edu),788600513(domain users at bsdad.uchicago.edu),788670430(phs phsapps office excel 2013 users at bsdad.uchicago.edu),788672414(phs phsapps r v3.2.3 32-bit users at bsdad.uchicago.edu),339800245(cri-ahsan_lab at bsdad.uchicago.edu),788655034(fml$ n108 conference room freebusy read at bsdad.uchicago.edu),788670446(phs phsapps office word 2013 users at bsdad.uchicago.edu),788670437(phs phsapps plink 1.07 users at bsdad.uchicago.edu),788670443(phs phsapps sas 9.4 users at bsdad.uchicago.edu),788610930(hsd$ proof point at bsdad.uchicago.edu),788670432(phs phsapps mmc users at bs dad.uchicago.edu),788670433(phs phsapps mobaxterm users at bsdad.uchicago.edu),788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu mailbox) >> >> I am not particularly well versed in deciphering IPA/NSS logs for SSSD, >> but at first review nothing is blaring, aside from these line in the NSS >> log, which doesn?t provide much good information: >> >> Error: 3, 0, Account info lookup failed >> Will try to return what we have in cache >> >> My goal is to spend at least some time focusing on this today to try and further identify root cause of being unable to lookup this user. I will report back if I find anything meaningful. In the meantime I would appreciate any advisement that could be provided. >> >> Thank you for replying to me. >> >> Best, >> >> Dan Sullivan >> >> >> >> >> >> >> >> On Jul 18, 2016, at 3:19 AM, Jakub Hrozek > wrote: >> >> On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote: >> >> Jakub, >> >> Thank you for replying to me. Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn?t upgrade it because I haven?t had any problems logging into that system yet. That being said: >> >> Thank you, but did this command return "No such user? ? >> >> Yes. Whenever this occurs "No such user" is the result from the id command executed on the client. >> >> If it did, was the user cached previously (iow, was there a successfull >> lookup before) ? >> >> No, this is the first time the user has ever been looked up. As far as I know the user has never been successfully entered into the cache. Similarly, the user has never logged in to the IPA server via an SSSD client. >> >> Ah, thank you, if the user has not been cached before, then it's >> expected that the lookup has nothing to fall back to if the client fails >> to look up information from the server. >> >> >> Here is an example of a failed lookup from a client: >> >> [root at cri-kcriwebgdp1 problem]# id hahsan >> id: hahsan: No such user >> >> The DC logs for this operation are >> NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5 >> IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1 >> >> Thank you, I see that there is quite a lot of groups and the lookup >> takes a bit of time. I wonder if any of the groups the user is a member >> of are large? >> >> If yes (and since moving the cache to tmpfs had helped), I wonder if >> also using ignore_group_members would mitigate the issue further, like >> this: >> >> subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout >> ignore_group_members = True >> ldap_purge_cache_timeout = 0 >> >> These would go into the domain section on the server itself. >> >> >> ******************************************************************************** >> This e-mail is intended only for the use of the individual or entity to which >> it is addressed and may contain information that is privileged and confidential. >> If the reader of this e-mail message is not the intended recipient, you are >> hereby notified that any dissemination, distribution or copying of this >> communication is prohibited. If you have received this e-mail in error, please >> notify the sender and destroy all copies of the transmittal. >> >> Thank you >> University of Chicago Medicine and Biological Sciences >> ******************************************************************************** ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From jhrozek at redhat.com Mon Jul 18 13:38:25 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Jul 2016 15:38:25 +0200 Subject: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8) In-Reply-To: <67C4B61E-1D21-4BDB-8A3E-C025C69FD3DC@bsd.uchicago.edu> References: <20160715111324.GD30895@10.4.128.1> <7EC4261D-1563-4882-8F01-B9E0CD42BA85@bsd.uchicago.edu> <20160715121202.GP4734@hendrix> <25FD775D-1787-4EDB-9CEF-8B828F5B2B93@bsd.uchicago.edu> <20160715152011.GQ4734@hendrix> <7ADFB3C3-73D4-4D2C-A099-4A80A7DE8E72@bsd.uchicago.edu> <20160718081910.GU4734@hendrix> <20160718132319.GC4734@hendrix> <67C4B61E-1D21-4BDB-8A3E-C025C69FD3DC@bsd.uchicago.edu> Message-ID: <20160718133825.GE4734@hendrix> On Mon, Jul 18, 2016 at 01:36:30PM +0000, Sullivan, Daniel [AAA] wrote: > > Are also users that are not part of this group misbehaving? > > Not that I am aware of. I?ll get you a real answer though. Are there any known workarounds to the @ problem used to transform group names (i.e. a more robust ?override_space? option)? I looked a the doc briefly but can?t find anything. The override_space really just concerns spaces, not @-characters. > > I was thinking maybe could use re_expression to tokenize group names by taking the last token parsed by @ for the domain portion, although this seems kind of hacky, also not sure if it would work. Yes, I guess this should work. From rcritten at redhat.com Mon Jul 18 13:54:37 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2016 09:54:37 -0400 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> <1468790494.3762.1.camel@stefany.eu> <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <578CDF9D.3020402@redhat.com> Sumit Bose wrote: > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin ?tefany wrote: >> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: >>> On (16/07/16 10:19), Martin ?tefany wrote: >>>> >>>> Hello Sumit, >>>> >>>> seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD >>>> logs, but same problem: 'Error looking up public keys'. >>>> >>>> selinux-policy-3.13.1-191.fc24.3.noarch >>>> selinux-policy-targeted-3.13.1-191.fc24.3.noarch >>>> sssd-1.13.4-3.fc24.x86_64 >>>> >>> Fedora 23 and fedora 24 has the same version of sssd >>> and almost the same version of openssh. >>> I have no idea what coudl broke it it there are not any AVCs. >>> >>>> >>>> Using debug_level 0x0250 :: >>>> >>> For troubleshooting, it would be better to see all >>> debug messages. (debug_level = 0xfff0) >> >> Hello Lukas, >> >> thanks for replying on this, here are debug_level = 0xfff0 messages >> > > ... > >> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): >> CERT_VerifyCertificateNow failed [-8179]. >> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): >> cert_to_ssh_key failed. > > -8179 translates to "Peer's certificate issuer is not recognized." > (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html). > This means the CA certificate which signed the certificate on the > Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD. > > Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb, > this might be the reason why you see this with F24. > > To fix this please either add the needed CA certificates to > /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the > [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA > certificates to validate the Smartcard certificate. > > I'm working on a fix for SSSD to handle handle this change > automatically, but unfortunately it is not ready yet. The client installer should be adding the IPA CA to the system certificate store which should be picked up automagically by OpenSSL and NSS applications. I think I'd start there to see if that happened. rob From rcritten at redhat.com Mon Jul 18 13:57:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2016 09:57:57 -0400 Subject: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment In-Reply-To: References: <375f7afa-d065-207b-6956-5c0f30ea1cd4@redhat.com> Message-ID: <578CE065.60709@redhat.com> Grant Wu wrote: > Thanks for the information. Do you know if there are any plans to > support cross-realm trust with general KDCs? https://fedorahosted.org/freeipa/ticket/4867 rob From sbose at redhat.com Mon Jul 18 14:32:33 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 18 Jul 2016 16:32:33 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <578CDF9D.3020402@redhat.com> References: <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> <1468790494.3762.1.camel@stefany.eu> <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> <578CDF9D.3020402@redhat.com> Message-ID: <20160718143233.GC4387@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin ?tefany wrote: > > > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: > > > > On (16/07/16 10:19), Martin ?tefany wrote: > > > > > > > > > > Hello Sumit, > > > > > > > > > > seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD > > > > > logs, but same problem: 'Error looking up public keys'. > > > > > > > > > > selinux-policy-3.13.1-191.fc24.3.noarch > > > > > selinux-policy-targeted-3.13.1-191.fc24.3.noarch > > > > > sssd-1.13.4-3.fc24.x86_64 > > > > > > > > > Fedora 23 and fedora 24 has the same version of sssd > > > > and almost the same version of openssh. > > > > I have no idea what coudl broke it it there are not any AVCs. > > > > > > > > > > > > > > Using debug_level 0x0250 :: > > > > > > > > > For troubleshooting, it would be better to see all > > > > debug messages. (debug_level = 0xfff0) > > > > > > Hello Lukas, > > > > > > thanks for replying on this, here are debug_level = 0xfff0 messages > > > > > > > ... > > > > > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): > > > CERT_VerifyCertificateNow failed [-8179]. > > > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): > > > cert_to_ssh_key failed. > > > > -8179 translates to "Peer's certificate issuer is not recognized." > > (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html). > > This means the CA certificate which signed the certificate on the > > Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD. > > > > Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb, > > this might be the reason why you see this with F24. > > > > To fix this please either add the needed CA certificates to > > /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the > > [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA > > certificates to validate the Smartcard certificate. > > > > I'm working on a fix for SSSD to handle handle this change > > automatically, but unfortunately it is not ready yet. > > The client installer should be adding the IPA CA to the system certificate > store which should be picked up automagically by OpenSSL and NSS > applications. I think I'd start there to see if that happened. The responsibility for this was delegated to p11-kit in 11592dde1b232a70f318e01f5271b38890090648. Not sure if it was expected that p11-kit-proxy will be added to /etc/pki/nssdb by default? bye, Sumit > > rob > From pvoborni at redhat.com Mon Jul 18 14:44:29 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 18 Jul 2016 16:44:29 +0200 Subject: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment In-Reply-To: <578CE065.60709@redhat.com> References: <375f7afa-d065-207b-6956-5c0f30ea1cd4@redhat.com> <578CE065.60709@redhat.com> Message-ID: <73b5188f-5496-cdb7-606a-17bf376ee3fa@redhat.com> On 07/18/2016 03:57 PM, Rob Crittenden wrote: > Grant Wu wrote: >> Thanks for the information. Do you know if there are any plans to >> support cross-realm trust with general KDCs? > > https://fedorahosted.org/freeipa/ticket/4867 > > rob In general, IPA contains krb5 component which can be in theory configured to trust other krb5 KDC. But this procedure is manual. IPA doesn't provide any tooling to easy it and it is not tested therefore not supported. The general Kerberos realm trust is not planned for any upcoming release mostly because we don't see a big demand for it. Feel free to cc yourself or add comment to https://fedorahosted.org/freeipa/ticket/4917 It will raise the visible demand. Ticket 4867 is different, it is about IPA-IPA trusts where the scope is more confined. It may or may not(more probable) allow the trust with general KDC as a side effect. Demand for IPA-IPA trust is raising so it is definitively on our radar and has a chance to be implemented in some of upcoming releases. For completeness, there is also a RFE to support IPA-SAMBA 4 DC trusts: https://fedorahosted.org/freeipa/ticket/4866 -- Petr Vobornik From pvoborni at redhat.com Mon Jul 18 14:50:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 18 Jul 2016 16:50:09 +0200 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> Message-ID: On 07/18/2016 05:45 AM, Linov Suresh wrote: > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and > certmonger. Look like certificates were renewed. But I'm getting a different > error now, > > *ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".* Is PKI running? When you change the time, does restart of IPA help? > > [root at caer ~]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net ,O=TELOIP.NET > > expires: 2016-07-18 15:54:36 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net ,O=TELOIP.NET > > expires: 2016-07-18 15:54:52 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net ,O=TELOIP.NET > > expires: 2016-07-18 15:55:04 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=CA Audit,O=TELOIP.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=OCSP Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=CA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=RA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net ,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET > " > track: yes > auto-renew: yes > [root at caer ~]# > > Your help is highly appreciated! > > > > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden > wrote: > > Linov Suresh wrote: > > I logged into my IPA master, and found that the cert had expired again, > we renewed these certificates about 18 months ago. > > Our environment is CentOS 6.4 and IPA 3.0.0-26. > > > I followed the Redhat documentation,How do I manually renew Identity > Management (IPA) certificates after they have expired? (Master IPA > Server), https://access.redhat.com/solutions/643753 but no luck. > > > I have also changed the directive "NSSEnforceValidCerts off" in > /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn. > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* > -b cn=config | grep nsslapd-validate-cert > > nsslapd-validate-cert: warn > > Here is my getcert list, > > [root at caer ~]# getcert list > > > It looks like your CA subsystem certificates all renewed successfully it is > just the webserver and LDAP certificates that need renewing so that's good. > > What I'd do is go back in time again to say Jan 20, 2016 and restart > certmonger. That should make it retry the renewals. > > rob > > > > -- Petr Vobornik From rcritten at redhat.com Mon Jul 18 15:42:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jul 2016 11:42:19 -0400 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160718143233.GC4387@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> <1468790494.3762.1.camel@stefany.eu> <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> <578CDF9D.3020402@redhat.com> <20160718143233.GC4387@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <578CF8DB.9020700@redhat.com> Sumit Bose wrote: > On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote: >> Sumit Bose wrote: >>> On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin ?tefany wrote: >>>> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: >>>>> On (16/07/16 10:19), Martin ?tefany wrote: >>>>>> >>>>>> Hello Sumit, >>>>>> >>>>>> seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD >>>>>> logs, but same problem: 'Error looking up public keys'. >>>>>> >>>>>> selinux-policy-3.13.1-191.fc24.3.noarch >>>>>> selinux-policy-targeted-3.13.1-191.fc24.3.noarch >>>>>> sssd-1.13.4-3.fc24.x86_64 >>>>>> >>>>> Fedora 23 and fedora 24 has the same version of sssd >>>>> and almost the same version of openssh. >>>>> I have no idea what coudl broke it it there are not any AVCs. >>>>> >>>>>> >>>>>> Using debug_level 0x0250 :: >>>>>> >>>>> For troubleshooting, it would be better to see all >>>>> debug messages. (debug_level = 0xfff0) >>>> >>>> Hello Lukas, >>>> >>>> thanks for replying on this, here are debug_level = 0xfff0 messages >>>> >>> >>> ... >>> >>>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): >>>> CERT_VerifyCertificateNow failed [-8179]. >>>> (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): >>>> cert_to_ssh_key failed. >>> >>> -8179 translates to "Peer's certificate issuer is not recognized." >>> (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html). >>> This means the CA certificate which signed the certificate on the >>> Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD. >>> >>> Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb, >>> this might be the reason why you see this with F24. >>> >>> To fix this please either add the needed CA certificates to >>> /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the >>> [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA >>> certificates to validate the Smartcard certificate. >>> >>> I'm working on a fix for SSSD to handle handle this change >>> automatically, but unfortunately it is not ready yet. >> >> The client installer should be adding the IPA CA to the system certificate >> store which should be picked up automagically by OpenSSL and NSS >> applications. I think I'd start there to see if that happened. > > The responsibility for this was delegated to p11-kit in > 11592dde1b232a70f318e01f5271b38890090648. Not sure if it was expected > that p11-kit-proxy will be added to /etc/pki/nssdb by default? That I'm not sure. Kai might know. rob From linov.suresh at gmail.com Mon Jul 18 16:00:33 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Mon, 18 Jul 2016 12:00:33 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> Message-ID: Yes, PKI is running and I don't see any errors in selftests, I have followed https://access.redhat.com/solutions/643753 and restarted the PKI in step 10. The only change which I made was clean up userCertificate;binary before adding new userCertificate in LDAP, which is step 12. [root at caer ~]# /etc/init.d/pki-cad status pki-ca (pid 8634) is running... [ OK ] Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca Secure Admin Port = https://caer.teloip.net:9445/ca/services EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: IPA URL: https://caer.teloip.net:9445 ========================================================================== [root at caer ~]# [root at caer ~]# tail -f /var/log/pki-ca/selftests.log 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: system certs verification success 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! Your help is highly appreciated! Linov Suresh 70 Forest Manor Rd. Toronto ON M2J 0A9 Mobile: +1 647 406 9438 Linkedin: ca.linkedin.com/in/linov/ Website: http://mylinuxthoughts.blogspot.com On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik wrote: > On 07/18/2016 05:45 AM, Linov Suresh wrote: > > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and > > certmonger. Look like certificates were renewed. But I'm getting a > different > > error now, > > > > *ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ".* > > Is PKI running? When you change the time, does restart of IPA help? > > > > > [root at caer ~]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net ,O= > TELOIP.NET > > > > expires: 2016-07-18 15:54:36 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net ,O= > TELOIP.NET > > > > expires: 2016-07-18 15:54:52 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net ,O= > TELOIP.NET > > > > expires: 2016-07-18 15:55:04 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=CA Audit,O=TELOIP.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=OCSP Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=CA Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=RA Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net ,O= > TELOIP.NET > > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " > TELOIP.NET > > " > > track: yes > > auto-renew: yes > > [root at caer ~]# > > > > Your help is highly appreciated! > > > > > > > > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden > > wrote: > > > > Linov Suresh wrote: > > > > I logged into my IPA master, and found that the cert had expired > again, > > we renewed these certificates about 18 months ago. > > > > Our environment is CentOS 6.4 and IPA 3.0.0-26. > > > > > > I followed the Redhat documentation,How do I manually renew > Identity > > Management (IPA) certificates after they have expired? > (Master IPA > > Server), https://access.redhat.com/solutions/643753 but no > luck. > > > > > > I have also changed the directive "NSSEnforceValidCerts off" in > > /etc/httpd/conf.d/nss.conf and the value of > nsslapd-validate-cert is warn. > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w > ******* > > -b cn=config | grep nsslapd-validate-cert > > > > nsslapd-validate-cert: warn > > > > Here is my getcert list, > > > > [root at caer ~]# getcert list > > > > > > It looks like your CA subsystem certificates all renewed > successfully it is > > just the webserver and LDAP certificates that need renewing so > that's good. > > > > What I'd do is go back in time again to say Jan 20, 2016 and restart > > certmonger. That should make it retry the renewals. > > > > rob > > > > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Mon Jul 18 16:37:08 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Mon, 18 Jul 2016 12:37:08 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> Message-ID: *Update: my webserver and LDAP certificates were expired at 2016-07-18 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* *Could you please help us? * [root at caer tmp]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET * expires: 2016-07-18 15:54:36 UTC* eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET * expires: 2016-07-18 15:54:52 UTC* eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET *expires: 2016-07-18 15:55:04 UTC* eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " TELOIP.NET" track: yes auto-renew: yes On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh wrote: > Yes, PKI is running and I don't see any errors in selftests, I have > followed https://access.redhat.com/solutions/643753 and restarted the PKI > in step 10. > > The only change which I made was clean up userCertificate;binary before > adding new userCertificate in LDAP, which is step 12. > > [root at caer ~]# /etc/init.d/pki-cad status > pki-ca (pid 8634) is running... [ OK ] > Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = https://caer.teloip.net:9445/ca/services > EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > ========================================================================== > [root at caer ~]# > [root at caer ~]# tail -f /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running > self test plugins specified to be executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: > system certs verification success > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All > CRITICAL self test plugins ran SUCCESSFULLY at startup! > > Your help is highly appreciated! > > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > Linkedin: ca.linkedin.com/in/linov/ > Website: http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik > wrote: > >> On 07/18/2016 05:45 AM, Linov Suresh wrote: >> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and >> > certmonger. Look like certificates were renewed. But I'm getting a >> different >> > error now, >> > >> > *ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> >> Is PKI running? When you change the time, does restart of IPA help? >> >> > >> > [root at caer ~]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net ,O= >> TELOIP.NET >> > >> > expires: 2016-07-18 15:54:36 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net ,O= >> TELOIP.NET >> > >> > expires: 2016-07-18 15:54:52 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net ,O= >> TELOIP.NET >> > >> > expires: 2016-07-18 15:55:04 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=CA Audit,O=TELOIP.NET >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=OCSP Subsystem,O=TELOIP.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=CA Subsystem,O=TELOIP.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=RA Subsystem,O=TELOIP.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net ,O= >> TELOIP.NET >> > >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >> TELOIP.NET >> > " >> > track: yes >> > auto-renew: yes >> > [root at caer ~]# >> > >> > Your help is highly appreciated! >> > >> > >> > >> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden > > > wrote: >> > >> > Linov Suresh wrote: >> > >> > I logged into my IPA master, and found that the cert had >> expired again, >> > we renewed these certificates about 18 months ago. >> > >> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >> > >> > >> > I followed the Redhat documentation,How do I manually renew >> Identity >> > Management (IPA) certificates after they have expired? >> (Master IPA >> > Server), https://access.redhat.com/solutions/643753 but no >> luck. >> > >> > >> > I have also changed the directive "NSSEnforceValidCerts off" in >> > /etc/httpd/conf.d/nss.conf and the value of >> nsslapd-validate-cert is warn. >> > >> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w >> ******* >> > -b cn=config | grep nsslapd-validate-cert >> > >> > nsslapd-validate-cert: warn >> > >> > Here is my getcert list, >> > >> > [root at caer ~]# getcert list >> > >> > >> > It looks like your CA subsystem certificates all renewed >> successfully it is >> > just the webserver and LDAP certificates that need renewing so >> that's good. >> > >> > What I'd do is go back in time again to say Jan 20, 2016 and restart >> > certmonger. That should make it retry the renewals. >> > >> > rob >> > >> > >> > >> > >> >> >> >> -- >> Petr Vobornik >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guillermo.fuentes at modernizingmedicine.com Mon Jul 18 18:37:58 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Mon, 18 Jul 2016 14:37:58 -0400 Subject: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes. In-Reply-To: <7cda6ee5-fac5-bd8f-d23f-bcc54c92318d@redhat.com> References: <8b452beb-09fe-8183-319a-02f51a2153de@redhat.com> <7cda6ee5-fac5-bd8f-d23f-bcc54c92318d@redhat.com> Message-ID: Hi all, Did any ipa/sssd developer had a chance to take a look at this issue? Updating to the latest version available for CentOS 7 didn't fix it: ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 sssd-ipa-1.13.0-40.el7_2.9.x86_64 python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 libipa_hbac-1.13.0-40.el7_2.9.x86_64 ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 389-ds-base-libs-1.3.4.0-32.el7_2.x86_64 389-ds-base-1.3.4.0-32.el7_2.x86_64 389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64 Please let me know if you need more information or how I can help to get it fixed. Thanks so much, Guillermo On Mon, Jun 13, 2016 at 6:30 PM, Rich Megginson wrote: > On 06/13/2016 01:13 PM, Guillermo Fuentes wrote: > >> Hi Rich, >> >> After I started running the stack traces, the problem hasn't happen as >> frequently as it use to but today I was able to get the stack traces. >> As they aren't similar I'll send them over to you in a separate email. >> >> This is what I did to start the stack traces (CentOS 7): >> # yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo >> ipa-debuginfo slapi-nis-debuginfo nspr-debuginfo >> # yum install -y gdb >> # systemctl stop ipa.service ; sleep 10; systemctl start ipa.service >> # mkdir -p /var/log/stacktraces >> >> Setup crontab to run the following every minute: >> gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply >> all bt full' -ex 'quit' /usr/sbin/ns-slapd `pidof ns-slapd` > >> /var/log/stacktraces/stacktrace.`date +%s`.txt 2>&1 >> > > It looks similar to https://fedorahosted.org/389/ticket/48341 but you > already have that fix. > > One of the problems is that ids_sasl_check_bind acquires the connection > lock and holds it for a very long time, which causes the main loop to block > on that connection, which is similar to the above problem, and also similar > to https://fedorahosted.org/389/ticket/48882. Basically, anything which > holds the connection c_mutex lock too long can hang the server. In your > case, this stack trace: > > poll sss_cli_make_request_nochecks sss_cli_check_socket > sss_pac_make_request sssdpac_verify krb5int_authdata_verify > rd_req_decoded_opt krb5_rd_req_decoded kg_accept_krb5 > krb5_gss_accept_sec_context_ext krb5_gss_accept_sec_context > gss_accept_sec_context gssapi_server_mech_step sasl_server_step > sasl_server_start ids_sasl_check_bind do_bind connection_dispatch_operation > _pt_root start_thread clone > > I'm not sure if this particular situation is known/fixed. Perhaps there > is a way to make the poll() called by sss_cli_make_request_nochecks() have > a smaller timeout? > > Does this look familiar to any ipa/sssd developer? > > > >> Thank you so much for your help, >> >> Guillermo >> >> >> >> >> >> >> On Wed, Jun 1, 2016 at 6:52 PM, Guillermo Fuentes >> wrote: >> >>> I'm now taking stack traces every minute and waiting for it to hang >>> again to check it. It happens usually under load but it's >>> unpredictable. Must likely tomorrow. >>> GUILLERMO FUENTES >>> SR. SYSTEMS ADMINISTRATOR >>> >>> 561-880-2998 x1337 >>> >>> guillermo.fuentes at modmed.com >>> >>> >>> >>> >>> >>> >>> On Wed, Jun 1, 2016 at 2:03 PM, Rich Megginson >>> wrote: >>> >>>> On 06/01/2016 10:37 AM, Guillermo Fuentes wrote: >>>> >>>>> Hi all, >>>>> >>>>> We are experiencing a similar issue like the one discussed in the >>>>> following thread but we are running FreeIPA 4.2 on CentOS 7.2: >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html >>>>> >>>> >>>> Are your stack traces similar? >>>> >>>> >>>> LDAP service stops responding to queries (hangs). LDAP connections on >>>>> the server climb sometimes up to 10 times the normal amount and load >>>>> goes to 0. Then, the connections start to drop until they get to a >>>>> normal level and the LDAP service starts to respond to queries again. >>>>> This happens in between 3-5 minutes: >>>>> >>>>> Time,LDAP conn, Opened files(ns-slapd), File >>>>> Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 >>>>> 8:54:03,101,353,216,142,0.43,0.20,0.16 >>>>> 8:55:02,108,359,221,142,0.19,0.18,0.15 >>>>> 8:56:03,110,361,224,142,0.07,0.15,0.14 >>>>> 8:57:14,117,383,246,142,0.15,0.16,0.15 >>>>> 8:58:04,276,371,234,142,0.05,0.13,0.14 >>>>> 8:59:05,469,371,234,142,0.02,0.11,0.13 >>>>> 9:00:08,719,371,234,142,0.01,0.09,0.12 >>>>> 9:01:18,1060,371,234,142,0.00,0.07,0.12 >>>>> 9:02:10,742,371,233,142,0.10,0.09,0.12 >>>>> 9:03:06,365,372,235,142,0.13,0.10,0.13 >>>>> 9:04:04,262,379,242,142,0.87,0.29,0.19 >>>>> 9:05:02,129,371,233,142,0.51,0.31,0.20 >>>>> 9:06:03,126,377,240,142,0.42,0.33,0.22 >>>>> 9:07:03,125,377,238,142,0.17,0.27,0.21 >>>>> >>>>> Nothing is logged in the errors log file of the server having the >>>>> problem (ipa1 as an example). >>>>> In the replicas this is logged: >>>>> 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>>>> (ipa1:389): Unable to receive the response for a startReplication >>>>> extended operation to consumer (Timed out). Will retry later. >>>>> 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>>>> (ipa1:389): Unable to receive the response for a startReplication >>>>> extended operation to consumer (Timed out). Will retry later. >>>>> >>>>> Nothing is logged in the access log file until after ns-slapd starts >>>>> responding again: >>>>> ... >>>>> 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" >>>>> name="replication-multimaster-extop" >>>>> 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" >>>>> name="replication-multimaster-extop" >>>>> 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 >>>>> etime=0 >>>>> 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 >>>>> etime=0 >>>>> 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 >>>>> 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>> 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 >>>>> 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>> 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 >>>>> 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>> 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 >>>>> mech=GSSAPI >>>>> 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 >>>>> mech=GSSAPI >>>>> 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 >>>>> etime=0, SASL bind in progress >>>>> 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 >>>>> mech=GSSAPI >>>>> 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" >>>>> name="Netscape Replication End Session" >>>>> 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 >>>>> etime=0 >>>>> 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 >>>>> etime=0, SASL bind in progress >>>>> 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from >>>>> 172.20.0.24 to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to >>>>> /var/run/slapd-EXAMPLE-COM.socket >>>>> 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from >>>>> 172.20.0.24 to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to >>>>> /var/run/slapd-EXAMPLE-COM.socket >>>>> 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from >>>>> 172.20.0.24 to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from >>>>> 172.20.0.24 to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 >>>>> to 172.20.2.45 >>>>> ... >>>>> 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 >>>>> mech=GSSAPI >>>>> 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 >>>>> 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 >>>>> mech=GSSAPI >>>>> 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>> 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 >>>>> 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>> 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 >>>>> 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>> 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 >>>>> 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>>> 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>>> 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>>> 9:02:00 -0400] conn=12391 op=2 UNBIND >>>>> 9:02:00 -0400] conn=12396 op=2 UNBIND >>>>> 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 >>>>> 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 >>>>> 9:02:00 -0400] conn=12400 op=2 UNBIND >>>>> 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 >>>>> ... >>>>> >>>>> >>>>> Environment: >>>>> # cat /etc/redhat-release >>>>> CentOS Linux release 7.2.1511 (Core) >>>>> >>>>> # rpm -qa ipa* >>>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>> >>>>> # rpm -qa 389* >>>>> 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 >>>>> 389-ds-base-1.3.4.0-30.el7_2.x86_64 >>>>> >>>>> We have 4 FreeIPA servers with replication working fine between them. >>>>> ipa1 is handling LDAP authentication for +400 clients and has been >>>>> tunned as recommended per >>>>> >>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html >>>>> >>>>> Is this a known issue? >>>>> Any idea what can be causing ns-slapd to hang? >>>>> >>>>> Thanks in advance! >>>>> >>>>> Guillermo >>>>> >>>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kaie at redhat.com Mon Jul 18 16:42:02 2016 From: kaie at redhat.com (Kai Engert) Date: Mon, 18 Jul 2016 18:42:02 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <578CF8DB.9020700@redhat.com> References: <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160716133740.GA16185@10.4.128.1> <1468790494.3762.1.camel@stefany.eu> <20160718075054.GA4387@p.Speedport_W_724V_Typ_A_05011603_00_009> <578CDF9D.3020402@redhat.com> <20160718143233.GC4387@p.Speedport_W_724V_Typ_A_05011603_00_009> <578CF8DB.9020700@redhat.com> Message-ID: <1468860122.3043.50.camel@redhat.com> On Mon, 2016-07-18 at 11:42 -0400, Rob Crittenden wrote: > That I'm not sure. Kai might know. Since there were several open questions, we discussed that on IRC. To summarize here: if you want to install a CA that should be trusted by all applications on a system, you probably shouldn't install into /etc/pki/nssdb any more. Instead, you should install to the proper directory below /etc/pki/ca-trust/source/ and execute update-ca-trust (see the man page). In addition, if you write an NSS application and you want it to trust (and distrust) all the CAs that are installed globally on the system, then, after you init NSS using the usual init APIs, you should execute a call to load the NSS trust module, which is named libnssckbi.so The call is? SECMOD_AddNewModule("Builtins", DLL_PREFIX "nssckbi." DLL_SUFFIX, 0, 0);? (the DLL_*FIX symbols are helpful when you need cross platform code) An example is here: https://hg.mozilla.org/projects/nss/file/tip/cmd/tstclnt/tst clnt.c#l1312 Note that the libnssckbi.so in the LD search path is a symbolic link, which on modern systems points to the replacement module from p11-kit-trust.rpm, which will dynamically give you the trust information that's managed as explained in the update-ca-trust manual page. Kai From bpk678 at gmail.com Mon Jul 18 21:06:09 2016 From: bpk678 at gmail.com (Brendan Kearney) Date: Mon, 18 Jul 2016 17:06:09 -0400 Subject: [Freeipa-users] non-authoritative tricks for DNS resolution In-Reply-To: <0a093d72-8c2a-19a4-54ad-8ab386b023b0@redhat.com> References: <578BEC49.6060705@gmail.com> <9521194D-D168-41D4-B588-1B18578F70D1@bsd.uchicago.edu> <0a093d72-8c2a-19a4-54ad-8ab386b023b0@redhat.com> Message-ID: <578D44C1.7000501@gmail.com> On 07/18/2016 06:12 AM, Petr Spacek wrote: > On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: >> Would a DNS view (bind) work? >> >> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm >> >> Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same interface as it traverses NAT). This is known as DNS doctoring, at least in the world of Cisco. >> >> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html >> >> Let me know if either of those will solve your problem. If not, I might have a misunderstanding of what you are asking. >> >> Dan >> >>> On Jul 17, 2016, at 3:36 PM, Brendan Kearney wrote: >>> >>> i am looking to setup a VPN in order to access some resources, and want to point my clients at this resource via DNS. the resource i am accessing is internet resolvable, but i am accessing it via the VPN, and using a NAT for the VPN (full 1-to-1 or static NAT). i want to have a record in my DNS for this resource, using its proper name (which i am not authoritative for), but assign it the IP of my NAT. >>> >>> say for example, host.domain-ext.tld is the resource i want to access, and it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i want internal resolution of DNS to point to 192.168.99.137 so the network routing takes my internal clients to the VPN and not out to the internet. >>> >>> i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for dns. how do i setup the zone and record to accomplish this DNS trick? i have talked with some DNS gurus and they indicate that i can do something with the "@" record. it seems that the record i want, would be its own zone, and the @ record would point to the name, and the SOA would be the NAT IP. i could be wrong about the details, but something like this is how to setup resolution the way i want. >>> >>> any pointers would be greatly appreciated. > Background note: > All these DNS tricks are hacks to work around IP routing problem in > configuration you described. > > If you really want to use DNS tricks, you can create a DNS zone with name > equal to the you want to override and will this zone with A/AAAA record at > zone apex (@). > The DNS approach has some inherent advantages: > > 1. All DNS names below the name you want to 'hijack' will not be resolvable in > your network. E.g. if the name is hijacked.example.com. then sub-domains like > anything.hijacked.example.com. will not be resolvable. > > 2. Your clients will go securely over VPN if and only if they use your local > DNS servers. Any client configured (even accidentally) to use some other DNS > server (e.g. public 8.8.8.8) will get the 'public' address and do not tunnel > the traffic over VPN. > > > Secure and reliable solution is not to use DNS but solve things on IP layer: > On the network gateway, configure IPSec tunnel (or any other VPN) in a way > that *the original IP address* is routed over VPN. > > This does not require any DNS tricks and thus will work regardless of client > configuration. > > I hope it helps. > our posture states that we do not route network space that is not ours, unless exigent circumstances dictate otherwise. we have dedicated address space to NAT pools, in order to facilitate this. we also forbid external dns resolution from endpoints, by limiting what can go out to the roots for recursion. misconfigured clients are not able to perform DNS resolution. we work with our counterparts on the other side of the VPN to ensure we are only adding a host record, and that sub-domains are not a point of failure for our access. in terms of setting up this zone, how would one construct the ldif to create it? because i am not using FreeIPA, i do not have the seemingly built-in tools to perform this function. any reading material on the subject is welcomed. thanks, brendan From pgb205 at yahoo.com Mon Jul 18 21:21:07 2016 From: pgb205 at yahoo.com (pgb205) Date: Mon, 18 Jul 2016 21:21:07 +0000 (UTC) Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> Sumit, I have set the names of all the Domain Controllers to be resolvable to the IP of the one reachable Domain Controller in /etc/hosts /etc/hosts:Reachable_IP_BOX ? 172.10.10.1DC1 ? ? ? ? ? ? ? ? ? ? ? ? ? ?172.10.10.1DC2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?172.10.10.1...... However, I still see the followingMarking SRV lookup of service 'gc_addomain.local' as 'neutral' Marking server dc1.addomain.local' as 'name not resolved' Additionally I have configured?[domain/ipa.internal] ? ? ? with? subdomain_inherit = ldap_user_principalldap_user_principal = nosuchattr As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be the old hostname of the IPA KDC.After much troubleshooting I believe I got this fixed by deleting ?extra folders in /var/named/dyndb-ldap/ipa/masterRight now the only two folders are ipa.internal and .in-addr.arpa. I think this is what helped with this issue. but can you please confirm if it sounds reasonable. Ssh is still failing, possibly due to the problem 1 above. Is there anything else I can do to force ipa to pay attention to the /etc/hosts ?Or is this some other issue? thanks From: Sumit Bose To: pgb205 Cc: Sumit Bose ; Freeipa-users Sent: Wednesday, July 13, 2016 5:43 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > +freeipa-users list > >? ? ? From: pgb205 >? To: Sumit Bose >? Sent: Tuesday, July 12, 2016 2:12 PM >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust >? ? > Sumit, thanks for replying > So the first issue is my fault, probably from when I was sanitizing logs.? > our active directory domain is ad_domain.local, but users would expect to login as userid at ad_domain.com or just userid.for ipa the kerberos realm is IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > ewr-fipa_server used to be old trial server so I am not sure why it's still in the dns lookup results. I'll check this part further. > Lastly. only the connection to one of the domain controllers on AD side is open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, a connection to this single, accessible domain controller. Are there any other files where I would needto lock down the connections between ipa->ad so that all traffic goes to specific active directory domain controller? > thanks again for replying so quickly. Currently it is not possible to specify individual AD DC SSSD on the IPA server should talk to. We have ticket https://fedorahosted.org/sssd/ticket/2599 to make this possible in some later versions of SSSD. Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to get a list of AD DC, then picks one to get the next nearest site for the IPA domain and finally tries to lookup a DC from the matching site (if any). According to your logs SSSD was able to find 18 DCs with the SRV lookup. A call like ? ? dig SRV _ldap._tcp.ad_domain.local on the IPA server should return the same list of 18 DCs. As a work-around, or better a hack, you might want to try to set the IP address of all the 18 DC returned to the IP address of the only accessible DC in /etc/hosts. This way SSSD should have no chance to connect to a different DC. bye, Sumit > >? ? ? From: Sumit Bose >? To: pgb205 > Cc: Sumit Bose >? Sent: Tuesday, July 12, 2016 5:37 AM >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust >? > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > Sumit,? > > sssd log files attached with debug=10 in all sections.I have attempted several logins for comparison as well as kinit commands > > I came across two issues in the logs. > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > FreeIPA cannot resolve those principals correctly. It was planned for > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > please try to work-around suggested at the end of > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > for "Cannot contact any KDC for requested realm". > > Second there are some issues access AD DCs via LDAP. SSSD tries to > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > both fails. It is not clear from the logs if already the DNS lookup for > those fails or if the connection itself runs into a timeout. In the > former case you should make sure that the names can be resolved in the > IPA server in the latter you can try to increase ldap_network_timeout > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > switches the AD domains to offline. The authentication request is > handled offline as well but since there are no cached credentials you > get the permission denied error. > > HTH > > bye, > Sumit > > > > >? ? ? From: Sumit Bose > >? To: pgb205 > > Cc: "Freeipa-users at redhat.com" > >? Sent: Monday, July 11, 2016 3:06 AM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > >? ? > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > I have successfully established trust and am able to obtain ticket granting ticketkinit user at AD_DOMAIN.COMI can also do kinit admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > > I have checked that there are no hbac rules other then the default allow_all rule > > > in sssd_ssh.log see > > > permission denied (6) error?in sssd_ipa.domain.log file I see > > > pam_handler_callback 6 permission_denied > > > in sssd_nss.log?Unable to get information from Data ProviderError: 3 Account info lookup failedWill try to return what we have in cache > > > in /var/log/secure?received for user user at AD_DOMAIN.COM: 6 (Permission denied)? > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > ----------Additionally, I would like to be able to login as user not user at AD_DOMAIN.COM > > > My understanding that only thing that I have to change to make this happen is /etc/krb5.conffor line? > > > [libdefaults]?default_realm=AD_DOMAN.COM?and then restarting ipa services. > > > > No, please do not change the default_realm. This is not related to the > > issues you are seeing. > > > > bye, > > Sumit > > > > > However, when I do this I get failure to restart Samba service > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > >? > > > > >? ? > >? -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Tue Jul 19 01:13:33 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Tue, 19 Jul 2016 11:13:33 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160715075629.GI4734@hendrix> References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> Message-ID: Ok, the bad news is that it didn't last. We are still having the same problem - HBAC is rejecting users because not all jobs are being discovered on the host. I turned the debug_level up to 10 as requested, but to be honest, it's impossible to find anything in the logs because it's so verbose - suddenly there are timer events everywhere. I'm going to turn it down to 7 again so I can actually parse it. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 17:56, Jakub Hrozek wrote: > On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: > > I've updated all the relevant hosts and the FreeIPA server to the COPR > sssd > > 1.14.0 release and the problem seems to have disappeared. > > Great, but please keep an eye on the machine, the 1.14 branch is still > kindof fresh and we did a lot of changes. > > About the HBAC issue, did you use the default_domain_suffix previously? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Tue Jul 19 01:26:02 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Tue, 19 Jul 2016 11:26:02 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711064439.d4hrvxvqmopm6nni@redhat.com> <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> Message-ID: I think the thing that frustrates the most is that id user at domain.com is returning correct data on both but they can't login....and I can't even show that this is the case because now they can login. Difficult to reproduce :/ ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 19 July 2016 at 11:13, Lachlan Musicman wrote: > Ok, the bad news is that it didn't last. We are still having the same > problem - HBAC is rejecting users because not all jobs are being discovered > on the host. > > I turned the debug_level up to 10 as requested, but to be honest, it's > impossible to find anything in the logs because it's so verbose - suddenly > there are timer events everywhere. I'm going to turn it down to 7 again so > I can actually parse it. > > Cheers > L. > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 15 July 2016 at 17:56, Jakub Hrozek wrote: > >> On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: >> > I've updated all the relevant hosts and the FreeIPA server to the COPR >> sssd >> > 1.14.0 release and the problem seems to have disappeared. >> >> Great, but please keep an eye on the machine, the 1.14 branch is still >> kindof fresh and we did a lot of changes. >> >> About the HBAC issue, did you use the default_domain_suffix previously? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jul 19 06:40:58 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 19 Jul 2016 08:40:58 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> Message-ID: <20160719064058.GA7639@hendrix> On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > I think the thing that frustrates the most is that id user at domain.com is > returning correct data on both but they can't login....and I can't even > show that this is the case because now they can login. Difficult to > reproduce :/ Debugging from HBAC should at least tell you why the rules didn't match... From sbose at redhat.com Tue Jul 19 07:33:26 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 19 Jul 2016 09:33:26 +0200 Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jul 18, 2016 at 09:21:07PM +0000, pgb205 wrote: > Sumit, > > I have set the names of all the Domain Controllers to be resolvable to the IP > of the one reachable Domain Controller in /etc/hosts > > /etc/hosts: > Reachable_IP_BOX 172.10.10.1 > DC1 172.10.10.1 > DC2 172.10.10.1 > ... > ... The IP address should come first, please see man hosts for details. > > However, I still see the following > Marking SRV lookup of service 'gc_addomain.local' as 'neutral' > Marking server dc1.addomain.local' as 'name not resolved' Have you tried to add the fully-qualified names (dc1.addomain.local) in the right format (see above) to /etc/hosts? > > > Additionally I have configured > [domain/ipa.internal] > with > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > > As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be > the old hostname of the IPA KDC. > After much troubleshooting I believe I got this fixed by deleting extra > folders in > /var/named/dyndb-ldap/ipa/master > Right now the only two folders are ipa.internal and .in-addr.arpa. > I think this is what helped with this issue. but can you please confirm if it > sounds reasonable. Not sure how you got the additional directories but if on only have a single IPA DNS domain the two directories are sufficient. bye, Sumit > > > Ssh is still failing, possibly due to the problem 1 above. Is there anything > else I can do to force ipa to pay attention to the /etc/hosts ? > Or is this some other issue? > > thanks > ??????????????????????????????????????????????????????????????????????????????? > From: Sumit Bose > To: pgb205 > Cc: Sumit Bose ; Freeipa-users > Sent: Wednesday, July 13, 2016 5:43 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > > +freeipa-users list > > > > From: pgb205 > > To: Sumit Bose > > Sent: Tuesday, July 12, 2016 2:12 PM > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > Sumit, thanks for replying > > So the first issue is my fault, probably from when I was sanitizing logs. > > our active directory domain is ad_domain.local, but users would expect to > login as userid at ad_domain.com or just userid.for ipa the kerberos realm is > IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > > ewr-fipa_server used to be old trial server so I am not sure why it's still > in the dns lookup results. I'll check this part further. > > Lastly. only the connection to one of the domain controllers on AD side is > open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, > a connection to this single, accessible domain controller. Are there any other > files where I would needto lock down the connections between ipa->ad so that > all traffic goes to specific active directory domain controller? > > thanks again for replying so quickly. > > Currently it is not possible to specify individual AD DC SSSD on the IPA > server should talk to. We have ticket > https://fedorahosted.org/sssd/ticket/2599 to make this possible in some > later versions of SSSD. > > Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to > get a list of AD DC, then picks one to get the next nearest site for the > IPA domain and finally tries to lookup a DC from the matching site (if > any). > > According to your logs SSSD was able to find 18 DCs with the SRV lookup. > A call like > > dig SRV _ldap._tcp.ad_domain.local > > on the IPA server should return the same list of 18 DCs. > > As a work-around, or better a hack, you might want to try to set the IP > address of all the 18 DC returned to the IP address of the only > accessible DC in /etc/hosts. This way SSSD should have no chance to > connect to a different DC. > > bye, > > Sumit > > > > > From: Sumit Bose > > To: pgb205 > > Cc: Sumit Bose > > Sent: Tuesday, July 12, 2016 5:37 AM > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > > Sumit, > > > sssd log files attached with debug=10 in all sections.I have attempted > several logins for comparison as well as kinit commands > > > > I came across two issues in the logs. > > > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > > FreeIPA cannot resolve those principals correctly. It was planned for > > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > > please try to work-around suggested at the end of > > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > > for "Cannot contact any KDC for requested realm". > > > > Second there are some issues access AD DCs via LDAP. SSSD tries to > > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > > both fails. It is not clear from the logs if already the DNS lookup for > > those fails or if the connection itself runs into a timeout. In the > > former case you should make sure that the names can be resolved in the > > IPA server in the latter you can try to increase ldap_network_timeout > > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > > switches the AD domains to offline. The authentication request is > > handled offline as well but since there are no cached credentials you > > get the permission denied error. > > > > HTH > > > > bye, > > Sumit > > > > > > > > From: Sumit Bose > > > To: pgb205 > > > Cc: "Freeipa-users at redhat.com" > > > Sent: Monday, July 11, 2016 3:06 AM > > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > > I have successfully established trust and am able to obtain ticket > granting ticketkinit user at AD_DOMAIN.COMI can also do kinit > admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > > > I have checked that there are no hbac rules other then the default > allow_all rule > > > > in sssd_ssh.log see > > > > permission denied (6) error in sssd_ipa.domain.log file I see > > > > pam_handler_callback 6 permission_denied > > > > in sssd_nss.log Unable to get information from Data ProviderError: 3 > Account info lookup failedWill try to return what we have in cache > > > > in /var/log/secure received for user user at AD_DOMAIN.COM: 6 (Permission > denied) > > > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > > > ----------Additionally, I would like to be able to login as user not > user at AD_DOMAIN.COM > > > > My understanding that only thing that I have to change to make this > happen is /etc/krb5.conffor line > > > > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa > services. > > > > > > No, please do not change the default_realm. This is not related to the > > > issues you are seeing. > > > > > > bye, > > > Sumit > > > > > > > However, when I do this I get failure to restart Samba service > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > > > > > > > > From pspacek at redhat.com Tue Jul 19 09:40:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 19 Jul 2016 11:40:59 +0200 Subject: [Freeipa-users] non-authoritative tricks for DNS resolution In-Reply-To: <578D44C1.7000501@gmail.com> References: <578BEC49.6060705@gmail.com> <9521194D-D168-41D4-B588-1B18578F70D1@bsd.uchicago.edu> <0a093d72-8c2a-19a4-54ad-8ab386b023b0@redhat.com> <578D44C1.7000501@gmail.com> Message-ID: <335090d8-6482-ef4d-83f6-e934e1bd3502@redhat.com> On 18.7.2016 23:06, Brendan Kearney wrote: > On 07/18/2016 06:12 AM, Petr Spacek wrote: >> On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: >>> Would a DNS view (bind) work? >>> >>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm >>> >>> Also, depending on what you are using for NAT, some devices will mangle the >>> reply payload of A record lookups as they traverse NAT to avoid haripinning >>> (a packet going out and then back in the same interface as it traverses >>> NAT). This is known as DNS doctoring, at least in the world of Cisco. >>> >>> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html >>> >>> >>> Let me know if either of those will solve your problem. If not, I might >>> have a misunderstanding of what you are asking. >>> >>> Dan >>> >>>> On Jul 17, 2016, at 3:36 PM, Brendan Kearney wrote: >>>> >>>> i am looking to setup a VPN in order to access some resources, and want to >>>> point my clients at this resource via DNS. the resource i am accessing is >>>> internet resolvable, but i am accessing it via the VPN, and using a NAT >>>> for the VPN (full 1-to-1 or static NAT). i want to have a record in my >>>> DNS for this resource, using its proper name (which i am not authoritative >>>> for), but assign it the IP of my NAT. >>>> >>>> say for example, host.domain-ext.tld is the resource i want to access, and >>>> it resolves externally to 1.2.3.4. my VPN NAT would be 192.168.99.137. i >>>> want internal resolution of DNS to point to 192.168.99.137 so the network >>>> routing takes my internal clients to the VPN and not out to the internet. >>>> >>>> i am using isc bind, bind-dyndb-ldap, and fedora, but not freeipa, for >>>> dns. how do i setup the zone and record to accomplish this DNS trick? i >>>> have talked with some DNS gurus and they indicate that i can do something >>>> with the "@" record. it seems that the record i want, would be its own >>>> zone, and the @ record would point to the name, and the SOA would be the >>>> NAT IP. i could be wrong about the details, but something like this is >>>> how to setup resolution the way i want. >>>> >>>> any pointers would be greatly appreciated. >> Background note: >> All these DNS tricks are hacks to work around IP routing problem in >> configuration you described. >> >> If you really want to use DNS tricks, you can create a DNS zone with name >> equal to the you want to override and will this zone with A/AAAA record at >> zone apex (@). >> The DNS approach has some inherent advantages: >> >> 1. All DNS names below the name you want to 'hijack' will not be resolvable in >> your network. E.g. if the name is hijacked.example.com. then sub-domains like >> anything.hijacked.example.com. will not be resolvable. >> >> 2. Your clients will go securely over VPN if and only if they use your local >> DNS servers. Any client configured (even accidentally) to use some other DNS >> server (e.g. public 8.8.8.8) will get the 'public' address and do not tunnel >> the traffic over VPN. >> >> >> Secure and reliable solution is not to use DNS but solve things on IP layer: >> On the network gateway, configure IPSec tunnel (or any other VPN) in a way >> that *the original IP address* is routed over VPN. >> >> This does not require any DNS tricks and thus will work regardless of client >> configuration. >> >> I hope it helps. >> > our posture states that we do not route network space that is not ours, unless > exigent circumstances dictate otherwise. we have dedicated address space to > NAT pools, in order to facilitate this. we also forbid external dns resolution > from endpoints, by limiting what can go out to the roots for recursion. Blocking port 53 is slowly becoming a pointless exercise as RFC 7858 gets incrementally adopted. DNS is going to be indistinguishable from any TLS traffic, potentially even over port 443. Having said that, it is better to plan for changes sooner than later. > misconfigured clients are not able to perform DNS resolution. we work with > our counterparts on the other side of the VPN to ensure we are only adding a > host record, and that sub-domains are not a point of failure for our access. > > in terms of setting up this zone, how would one construct the ldif to create > it? because i am not using FreeIPA, i do not have the seemingly built-in > tools to perform this function. any reading material on the subject is welcomed. The zone would be the very same as any other DNS zone, please see doc/example.ldif file in bind-dyndb-ldap distribution. You want may play RPZ tricks but this needs to be done using standard BIND's config. Keep in mind that all this will break as soon as DNSSEC is enabled because your address hijacking will be indistinguishable from an attack. (In other words, this is the technically wrong approach. Solution on IP routing layer is technically cleaner.) -- Petr^2 Spacek From zeal at freecharge.com Tue Jul 19 10:45:13 2016 From: zeal at freecharge.com (Zeal Vora) Date: Tue, 19 Jul 2016 16:15:13 +0530 Subject: [Freeipa-users] User Permissions Related Doubts Message-ID: Hi! I was planning to have a user who will have access to the below set of permissions :- 1. kinit 2. ipa host-add 3. ipa-host-add-managedby 4. ipa-getkeytab I was wondering on what would be the minimum required permission for this user? I was planning to use specific user other then the admin, Any help will be appreciated! Thanks! Zeal -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Jul 19 11:31:25 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 19 Jul 2016 17:01:25 +0530 Subject: [Freeipa-users] OS migration from Fedora to CentOS? In-Reply-To: <56BB0393.8010900@redhat.com> References: <3044CBB6-2CB9-4425-BE84-D046593903E7@uni.lu> <56B47AEE.2010906@redhat.com> <56BB0393.8010900@redhat.com> Message-ID: I was in the exact same situation. Had to upgraded from FC21 (4.1.4) to CentOS 7.2 (4.2.0). Upgrade went thru fine thanks to this thread :-) For migrating the DNA ranges, I used this link https://blog-rcritten.rhcloud.com/?p=50 Is this fine? Thanks. On 10 February 2016 at 15:02, Martin Kosek wrote: > On 02/05/2016 11:35 AM, Petr Vobornik wrote: > > On 02/04/2016 06:14 PM, Christophe TREFOIS wrote: > >> Hi all, > >> > >> We are currently running a 3-replica (all are setup with the ?setup-ca > flag) > >> cluster on Fedora 21, with FreeIPA 4.1.4. > >> > >> We would like to slowly upgrade to the new version and move away from > Fedora > >> to CentOS 7.2. > >> > >> We were thinking of the following: > >> > >> - Create 3 CentOS machines with ?setup-ca flag so that our current > cluster is 6. > >> The first CentOS VM would then probably update the DB schema to the new > >> FreeIPA version. > >> - Remove the Fedora VMs 1 by 1 from the cluster using > ipa-replica-manage del > >> > >> - Be happy? > >> > >> > >> 1. Could you please advise if this is considered the safest practise? > > > > More or less yes: > > > > 1. create First IPA 4.2 against some FreeIPA 4.1.4 with CA > > 2. create the other two against the newly Created CentOS - will verify > if it is > > in a good shape > > 3. set new renewal CRL master: > > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > 4. Migrate DNA ranges using ipa-replica-manage tool > > > > if all works well, remove all servers: > > > > 5. remove CA repl. agreements for old servers using ipa-csreplica-manage > del > > 6. remove old servers data and repl. agreements using ipa-replica-manage > del > > 7. uninstall old servers using ipa-server-install --uninstall > > > >> 2. Do we have to update to intermediate versions and if so how? > > > > Should not be necessary. > > Some advise is also present in the RHEL official docs: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Tue Jul 19 13:27:08 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Tue, 19 Jul 2016 09:27:08 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> Message-ID: We have cloned and created another virtual server from the template. Surprisingly this server certificates were also expired at the same time as the previous, just lasted for a day. This issue has something to do with the kerberos tickets? I new to IPA and your help is highly appreciated. On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh wrote: > *Update: my webserver and LDAP certificates were expired at 2016-07-18 > 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* > > > *Could you please help us? * > > [root at caer tmp]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > * expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > * expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > *expires: 2016-07-18 15:55:04 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=CA Audit,O=TELOIP.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=OCSP Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=CA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=RA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " > TELOIP.NET" > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh > wrote: > >> Yes, PKI is running and I don't see any errors in selftests, I have >> followed https://access.redhat.com/solutions/643753 and restarted the >> PKI in step 10. >> >> The only change which I made was clean up userCertificate;binary before >> adding new userCertificate in LDAP, which is step 12. >> >> [root at caer ~]# /etc/init.d/pki-cad status >> pki-ca (pid 8634) is running... [ OK ] >> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca >> Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca >> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca >> Secure Admin Port = https://caer.teloip.net:9445/ca/services >> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca >> PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca >> Tomcat Port = 9701 (for shutdown) >> >> PKI Instance Name: pki-ca >> >> PKI Subsystem Type: Root CA (Security Domain) >> >> Registered PKI Security Domain Information: >> >> ========================================================================== >> Name: IPA >> URL: https://caer.teloip.net:9445 >> >> ========================================================================== >> [root at caer ~]# >> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading all self test plugin logger parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading all self test plugin instances >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading all self test plugin instance parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading self test plugins in on-demand order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading self test plugins in startup order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self >> test plugins have been successfully loaded! >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: >> Running self test plugins specified to be executed at startup: >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: >> system certs verification success >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All >> CRITICAL self test plugins ran SUCCESSFULLY at startup! >> >> Your help is highly appreciated! >> >> >> Linov Suresh >> >> 70 Forest Manor Rd. >> Toronto >> ON M2J 0A9 >> Mobile: +1 647 406 9438 >> Linkedin: ca.linkedin.com/in/linov/ >> Website: http://mylinuxthoughts.blogspot.com >> >> >> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik >> wrote: >> >>> On 07/18/2016 05:45 AM, Linov Suresh wrote: >>> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA >>> and >>> > certmonger. Look like certificates were renewed. But I'm getting a >>> different >>> > error now, >>> > >>> > *ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ".* >>> >>> Is PKI running? When you change the time, does restart of IPA help? >>> >>> > >>> > [root at caer ~]# getcert list >>> > Number of certificates and requests being tracked: 8. >>> > Request ID '20111214223243': >>> > status: MONITORING >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net ,O= >>> TELOIP.NET >>> > >>> > expires: 2016-07-18 15:54:36 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223300': >>> > status: MONITORING >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net ,O= >>> TELOIP.NET >>> > >>> > expires: 2016-07-18 15:54:52 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223316': >>> > status: MONITORING >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net ,O= >>> TELOIP.NET >>> > >>> > expires: 2016-07-18 15:55:04 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130741': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=CA Audit,O=TELOIP.NET >>> > expires: 2017-10-13 14:10:49 UTC >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130742': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=OCSP Subsystem,O=TELOIP.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-OCSPSigning >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "ocspSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130743': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=CA Subsystem,O=TELOIP.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "subsystemCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130744': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=RA Subsystem,O=TELOIP.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130745': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net ,O= >>> TELOIP.NET >>> > >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >>> TELOIP.NET >>> > " >>> > track: yes >>> > auto-renew: yes >>> > [root at caer ~]# >>> > >>> > Your help is highly appreciated! >>> > >>> > >>> > >>> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden >> > > wrote: >>> > >>> > Linov Suresh wrote: >>> > >>> > I logged into my IPA master, and found that the cert had >>> expired again, >>> > we renewed these certificates about 18 months ago. >>> > >>> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >>> > >>> > >>> > I followed the Redhat documentation,How do I manually renew >>> Identity >>> > Management (IPA) certificates after they have expired? >>> (Master IPA >>> > Server), https://access.redhat.com/solutions/643753 but no >>> luck. >>> > >>> > >>> > I have also changed the directive "NSSEnforceValidCerts off" in >>> > /etc/httpd/conf.d/nss.conf and the value of >>> nsslapd-validate-cert is warn. >>> > >>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' >>> -w ******* >>> > -b cn=config | grep nsslapd-validate-cert >>> > >>> > nsslapd-validate-cert: warn >>> > >>> > Here is my getcert list, >>> > >>> > [root at caer ~]# getcert list >>> > >>> > >>> > It looks like your CA subsystem certificates all renewed >>> successfully it is >>> > just the webserver and LDAP certificates that need renewing so >>> that's good. >>> > >>> > What I'd do is go back in time again to say Jan 20, 2016 and >>> restart >>> > certmonger. That should make it retry the renewals. >>> > >>> > rob >>> > >>> > >>> > >>> > >>> >>> >>> >>> -- >>> Petr Vobornik >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.karasek at elostech.cz Tue Jul 19 13:44:44 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Tue, 19 Jul 2016 15:44:44 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: References: Message-ID: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> Hi, I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. There is almost no documentation about this topic so I don't know what else I can try ... Thanks for help, Jan Date: Tue, 21 Jun 2016 21:38:15 +0200 From: Jakub Hrozek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD trust with POSIX attributes Message-ID: <20160621193815.GS29512 at hendrix> Content-Type: text/plain; charset=iso-8859-1 On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. > > I have set up trust with this parameters: > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator Did you add the POSIX attributes to AD after creating the trust maybe? > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 1392000000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > > I have set attributes in AD for user at EXAMPLE.TT > - uidNumber -10000 > - homeDirectory -/home/user > - loginShell - /bin/bash > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. > > Problem is, that I am not getting uid from AD but from idrange: > > uid=1392001107(user at example.tt) > > Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. This has no effect, in IPA-AD trust scenario, the id mapping properties are managed on the server. > > I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. I think idviews are better for overriding POSIX attributes for a specific set of hosts, but in your environment, it sounds like you want to use the POSIX attributes across the board. > > So my questions are: > > Is it possible to read user's POSIX attributes directly from AD - namely uid ? Yes > Which atributes can be stored in AD ? Homedir is a bit special, for backwards compatibility the subdomains_homedir takes precedence. The others should be read from AD. I don't have the environment set at the moment, though, so I'm operating purely from memory. > Am I doing something wrong ? > > my sssd.conf: > [domain/a.example.tt] > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #ldap_id_mapping = true > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = a.example.tt > [nss] > debug_level = 5 > homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > debug_level = 5 > [sudo] > > [autofs] > > [ssh] > debug_level = 4 > [pac] > > debug_level = 4 > [ifp] > > Thanks, > Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Tue Jul 19 13:52:48 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Tue, 19 Jul 2016 09:52:48 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> Message-ID: I have followed Redhat official documentation, https://access.redhat.com/solutions/643753 for certificate renewal, which says *add: usercertificate. (step 12)* While on the other hand FreeIPA official documentaion http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add: usercertificate;binary* Just wondering if we need to* add *the certificate? or* replace* the existing certificate and which format do we need to use? *pem* or *der*. We already successfully renewed the certificates about months back, but they were expired about 6 months back and we were not able to renew till now, and is affected our production environment. Pleas help us. On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh wrote: > We have cloned and created another virtual server from the template. > Surprisingly this server certificates were also expired at the same time as > the previous, just lasted for a day. > This issue has something to do with the kerberos tickets? > > I am new to IPA and your help is highly appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh > wrote: > >> *Update: my webserver and LDAP certificates were expired at 2016-07-18 >> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* >> >> >> *Could you please help us? * >> >> [root at caer tmp]# getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20111214223243': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> * expires: 2016-07-18 15:54:36 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223300': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> * expires: 2016-07-18 15:54:52 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223316': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> *expires: 2016-07-18 15:55:04 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130519130741': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=CA Audit,O=TELOIP.NET >> expires: 2017-10-13 14:10:49 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130742': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=OCSP Subsystem,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130743': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=CA Subsystem,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130744': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=RA Subsystem,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130519130745': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >> TELOIP.NET" >> track: yes >> auto-renew: yes >> >> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh >> wrote: >> >>> Yes, PKI is running and I don't see any errors in selftests, I have >>> followed https://access.redhat.com/solutions/643753 and restarted the >>> PKI in step 10. >>> >>> The only change which I made was clean up userCertificate;binary before >>> adding new userCertificate in LDAP, which is step 12. >>> >>> [root at caer ~]# /etc/init.d/pki-cad status >>> pki-ca (pid 8634) is running... [ OK ] >>> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca >>> Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca >>> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca >>> Secure Admin Port = https://caer.teloip.net:9445/ca/services >>> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca >>> PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca >>> Tomcat Port = 9701 (for shutdown) >>> >>> PKI Instance Name: pki-ca >>> >>> PKI Subsystem Type: Root CA (Security Domain) >>> >>> Registered PKI Security Domain Information: >>> >>> ========================================================================== >>> Name: IPA >>> URL: https://caer.teloip.net:9445 >>> >>> ========================================================================== >>> [root at caer ~]# >>> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading all self test plugin logger parameters >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading all self test plugin instances >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading all self test plugin instance parameters >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading self test plugins in on-demand order >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading self test plugins in startup order >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self >>> test plugins have been successfully loaded! >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: >>> Running self test plugins specified to be executed at startup: >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is >>> present >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: >>> system certs verification success >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All >>> CRITICAL self test plugins ran SUCCESSFULLY at startup! >>> >>> Your help is highly appreciated! >>> >>> >>> Linov Suresh >>> >>> 70 Forest Manor Rd. >>> Toronto >>> ON M2J 0A9 >>> Mobile: +1 647 406 9438 >>> Linkedin: ca.linkedin.com/in/linov/ >>> Website: http://mylinuxthoughts.blogspot.com >>> >>> >>> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik >>> wrote: >>> >>>> On 07/18/2016 05:45 AM, Linov Suresh wrote: >>>> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA >>>> and >>>> > certmonger. Look like certificates were renewed. But I'm getting a >>>> different >>>> > error now, >>>> > >>>> > *ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>>> ".* >>>> >>>> Is PKI running? When you change the time, does restart of IPA help? >>>> >>>> > >>>> > [root at caer ~]# getcert list >>>> > Number of certificates and requests being tracked: 8. >>>> > Request ID '20111214223243': >>>> > status: MONITORING >>>> > stuck: no >>>> > key pair storage: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >>>> > certificate: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>>> > Certificate DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net ,O= >>>> TELOIP.NET >>>> > >>>> > expires: 2016-07-18 15:54:36 UTC >>>> > eku: id-kp-serverAuth >>>> > pre-save command: >>>> > post-save command: >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20111214223300': >>>> > status: MONITORING >>>> > stuck: no >>>> > key pair storage: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> Certificate >>>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>>> > certificate: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> Certificate >>>> > DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net ,O= >>>> TELOIP.NET >>>> > >>>> > expires: 2016-07-18 15:54:52 UTC >>>> > eku: id-kp-serverAuth >>>> > pre-save command: >>>> > post-save command: >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20111214223316': >>>> > status: MONITORING >>>> > stuck: no >>>> > key pair storage: >>>> > >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> > Certificate DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net ,O= >>>> TELOIP.NET >>>> > >>>> > expires: 2016-07-18 15:55:04 UTC >>>> > eku: id-kp-serverAuth >>>> > pre-save command: >>>> > post-save command: >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130741': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=CA Audit,O=TELOIP.NET >>>> > expires: 2017-10-13 14:10:49 UTC >>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > "auditSigningCert cert-pki-ca" >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130742': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=OCSP Subsystem,O=TELOIP.NET >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-OCSPSigning >>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > "ocspSigningCert cert-pki-ca" >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130743': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=CA Subsystem,O=TELOIP.NET >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > "subsystemCert cert-pki-ca" >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130744': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate >>>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=RA Subsystem,O=TELOIP.NET >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: >>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130745': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net ,O= >>>> TELOIP.NET >>>> > >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: >>>> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >>>> TELOIP.NET >>>> > " >>>> > track: yes >>>> > auto-renew: yes >>>> > [root at caer ~]# >>>> > >>>> > Your help is highly appreciated! >>>> > >>>> > >>>> > >>>> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden >>> > > wrote: >>>> > >>>> > Linov Suresh wrote: >>>> > >>>> > I logged into my IPA master, and found that the cert had >>>> expired again, >>>> > we renewed these certificates about 18 months ago. >>>> > >>>> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >>>> > >>>> > >>>> > I followed the Redhat documentation,How do I manually >>>> renew Identity >>>> > Management (IPA) certificates after they have expired? >>>> (Master IPA >>>> > Server), https://access.redhat.com/solutions/643753 but >>>> no luck. >>>> > >>>> > >>>> > I have also changed the directive "NSSEnforceValidCerts off" >>>> in >>>> > /etc/httpd/conf.d/nss.conf and the value of >>>> nsslapd-validate-cert is warn. >>>> > >>>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' >>>> -w ******* >>>> > -b cn=config | grep nsslapd-validate-cert >>>> > >>>> > nsslapd-validate-cert: warn >>>> > >>>> > Here is my getcert list, >>>> > >>>> > [root at caer ~]# getcert list >>>> > >>>> > >>>> > It looks like your CA subsystem certificates all renewed >>>> successfully it is >>>> > just the webserver and LDAP certificates that need renewing so >>>> that's good. >>>> > >>>> > What I'd do is go back in time again to say Jan 20, 2016 and >>>> restart >>>> > certmonger. That should make it retry the renewals. >>>> > >>>> > rob >>>> > >>>> > >>>> > >>>> > >>>> >>>> >>>> >>>> -- >>>> Petr Vobornik >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 19 14:40:31 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2016 10:40:31 -0400 Subject: [Freeipa-users] User Permissions Related Doubts In-Reply-To: References: Message-ID: <578E3BDF.8080909@redhat.com> Zeal Vora wrote: > Hi! > > I was planning to have a user who will have access to the below set of > permissions :- > > > 1. kinit > 2. ipa host-add > 3. ipa-host-add-managedby > 4. ipa-getkeytab > > > I was wondering on what would be the minimum required permission for > this user? I was planning to use specific user other then the admin, > > Any help will be appreciated! I'd look at the Host Enrollment privilege to see if it does what you need. You might have to add Modify Hosts in order to add managedby (or create a similar privilege). rob From rcritten at redhat.com Tue Jul 19 14:50:45 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2016 10:50:45 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> Message-ID: <578E3E45.1040904@redhat.com> Linov Suresh wrote: > I have followed Redhat official documentation, > https://access.redhat.com/solutions/643753 for certificate renewal, > which says *add: usercertificate. (step 12)* > * > * > While on the other hand FreeIPA official documentaion > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add: > usercertificate;binary* > > Just wondering if we need to*add *the certificate? or*replace* the > existing certificate and which format do we need to use? *pem* or *der*. > > We already successfully renewed the certificates about months back, but > they were expired about 6 months back and we were not able to renew till > now, and is affected our production environment. > > Pleas help us. You shouldn't have to mess with these values at all. In 3.0 this is handled somewhat automatically. I'd restart the CA, then certmonger and see if the communication error goes away for the CA subservice certificates (the internal error). # service pki-cad restart # service certmonger restart I find it very strange that the certificates were set to expire yesterday but it isn't a show-stopper necessarily assuming you can get the CA back up. Assuming you can, then go back in time again, this time just a few days and try renewing the LDAP and Apache server certs again. rob > > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > wrote: > > We have cloned and created another virtual server from the template. > Surprisingly this server certificates were also expired at the same > time as the previous, just lasted for a day. > This issue has something to do with the kerberos tickets? > > I am new to IPA and your help is highly appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh > > wrote: > > *Update: my webserver and LDAP certificates were expired at > 2016-07-18 15:54:36 UTC and the certificates are in > CA_UNREACHABLE state.* > * > * > *Could you please help us? > * > > [root at caer tmp]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 > (libcurl failed to execute the HTTP POST transaction. Peer > certificate cannot be authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=caer.teloip.net > ,O=TELOIP.NET > *expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 > (libcurl failed to execute the HTTP POST transaction. Peer > certificate cannot be authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=caer.teloip.net > ,O=TELOIP.NET > *expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 > (libcurl failed to execute the HTTP POST transaction. Peer > certificate cannot be authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=caer.teloip.net > ,O=TELOIP.NET > *expires: 2016-07-18 15:55:04 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=CA Audit,O=TELOIP.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=OCSP Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=CA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=RA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > subject: CN=caer.teloip.net > ,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET > " > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh > > wrote: > > Yes, PKI is running and I don't see any errors in selftests, > I have followed https://access.redhat.com/solutions/643753 > and restarted the PKI in step 10. > > The only change which I made was clean > up userCertificate;binary before adding new > userCertificatein LDAP, which is step 12. > > [root at caer ~]# /etc/init.d/pki-cad status > pki-ca (pid 8634) is running... [ > OK ] > Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = > https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = > https://caer.teloip.net:9445/ca/services > EE Client Auth Port = > https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole > https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > ========================================================================== > [root at caer ~]# > [root at caer ~]# tail -f /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading all self test plugin logger > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading all self test plugin instances > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading all self test plugin instance > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading self test plugins in on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading self test plugins in startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: Self test plugins have been successfully > loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > SelfTestSubsystem: Running self test plugins specified to be > executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: > CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > SystemCertsVerification: system certs verification success > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > SelfTestSubsystem: All CRITICAL self test plugins ran > SUCCESSFULLY at startup! > > Your help is highly appreciated! > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > Linkedin: ca.linkedin.com/in/linov/ > > Website: http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik > > wrote: > > On 07/18/2016 05:45 AM, Linov Suresh wrote: > > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and > > certmonger. Look like certificates were renewed. But I'm getting a different > > error now, > > > > *ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".* > > Is PKI running? When you change the time, does restart > of IPA help? > > > > > [root at caer ~]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > > > expires: 2016-07-18 15:54:36 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > > > expires: 2016-07-18 15:54:52 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > > > expires: 2016-07-18 15:55:04 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: MONITORING > > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=CA Audit,O=TELOIP.NET > > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: MONITORING > > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=OCSP Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: MONITORING > > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=CA Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=RA Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: MONITORING > > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET > > " > > track: yes > > auto-renew: yes > > [root at caer ~]# > > > > Your help is highly appreciated! > > > > > > > > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden > > >> wrote: > > > > Linov Suresh wrote: > > > > I logged into my IPA master, and found that > the cert had expired again, > > we renewed these certificates about 18 months > ago. > > > > Our environment is CentOS 6.4 and IPA 3.0.0-26. > > > > > > I followed the Redhat documentation,How do > I manually renew Identity > > Management (IPA) certificates after they > have expired? (Master IPA > > Server), > https://access.redhat.com/solutions/643753 but no luck. > > > > > > I have also changed the directive > "NSSEnforceValidCerts off" in > > /etc/httpd/conf.d/nss.conf and the value of > nsslapd-validate-cert is warn. > > > > ldapsearch -x -h localhost -p 7389 -D > 'cn=directory manager' -w ******* > > -b cn=config | grep nsslapd-validate-cert > > > > nsslapd-validate-cert: warn > > > > Here is my getcert list, > > > > [root at caer ~]# getcert list > > > > > > It looks like your CA subsystem certificates all > renewed successfully it is > > just the webserver and LDAP certificates that > need renewing so that's good. > > > > What I'd do is go back in time again to say Jan > 20, 2016 and restart > > certmonger. That should make it retry the renewals. > > > > rob > > > > > > > > > > > > -- > Petr Vobornik > > > > > From bob at jackland.demon.co.uk Tue Jul 19 17:22:42 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Tue, 19 Jul 2016 18:22:42 +0100 Subject: [Freeipa-users] Struggling to remove redundant RUV records Message-ID: <8e20bd64-d3a9-287e-82b6-729ea7f6a94a@jackland.demon.co.uk> Hi, We had to replace a failed replica "ipa003.mgmt.prod.local". Unfortunately, deleting the old copy prior to creating the replacement doesn't seem to have worked and we're getting lots of errors like :- attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa003.mgmt.prod.local:389 ... failed. In the dirsrv logs. One problem is that there are now two RUVs for ipa003.mgmt.prod.local. How do I identify which is the live one so I can delete the redundant one ? I'd also like to delete all the old "unable to decode" replicas. I found a posting with an ldapsearch (see below), but this seems to give numbers that don't match the replica IDs. Do I need to translate the search results in some fashion or use a different search ? Many Thanks Bob Hinton -sh-4.2$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) -sh-4.2$ ipa --version VERSION: 4.2.0, API_VERSION: 2.156 sh-4.2$ sudo ipa-replica-manage list-ruv Directory Manager password: unable to decode: {replica 15} 568d15720002000f0000 568d15720002000f0000 unable to decode: {replica 13} 568ed0a90001000d0000 56ebea6b0001000d0000 unable to decode: {replica 14} 568d16ea0000000e0000 56ab57950005000e0000 ipa002.mgmt.prod.local:389: 17 ipa001.mgmt.paas.local:389: 22 ipa003.mgmt.paas.local:389: 26 ipa002.mgmt.paas.local:389: 24 ipa002.mgmt.paas.local:389: 25 ipa003.mgmt.prod.local:389: 23 ipa003.mgmt.prod.local:389: 18 ipa001.mgmt.prod.local:389: 19 sh-4.2$ !996 sudo ipa-replica-manage clean-ruv 13 Directory Manager password: unable to decode: {replica 15} 568d15720002000f0000 568d15720002000f0000 unable to decode: {replica 13} 568ed0a90001000d0000 56ebea6b0001000d0000 unable to decode: {replica 14} 568d16ea0000000e0000 56ab57950005000e0000 Replica ID 13 not found sh-4.2$ !1000 ldapsearch -D "cn=Directory Manager" -W -h ipa003.mgmt.prod.local -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" Enter LDAP Password: nsDS5ReplicaId: 1485 nsds50ruv: {replicageneration} 54be6564000000600000 nsds50ruv: {replica 1485 ldap://ipa003.mgmt.prod.local:389} 5787b6e nsds50ruv: {replica 1395 ldap://ipa001.mgmt.prod.local:389} 567ab7a nsds50ruv: {replica 1490 ldap://ipa001.mgmt.paas.local:389} 5787aef nsds50ruv: {replica 1495 ldap://ipa001.mgmt.paas.local:389} 578660e nsds50ruv: {replica 1280 ldap://ipa002.mgmt.prod.local:389} 567949c nsds50ruv: {replica 71 ldap://ipa4-03.local:389} 5617ba4d0000004700 nsds50ruv: {replica 1285 ldap://ipa001.mgmt.prod.local:389} 567804c nsds50ruv: {replica 1290 ldap://ipa4-02.local:389} 561bb7bc0000050a nsds50ruv: {replica 1295 ldap://ipa4-01.local:389} 561ba6430000050f nsds50ruv: {replica 96 ldap://ipa0001-01.local:7389} 54be656e000000 nsds50ruv: {replica 76 ldap://ipa4-rep.local:389} 56142cde0000004c0 nsds50ruv: {replica 81 ldap://ipa0001-03.local:7389} 54c25ac6000000 nsds50ruv: {replica 86 ldap://ipa0001-02.local:7389} 54c12c1d000000 nsds50ruv: {replica 91 ldap://ipa0001-03.local:7389} 54bf475b000000 nsds50ruv: {replica 97 ldap://ipa0001-02.local:7389} 54be656b000000 nsds50ruv: {replica 1096 ldap://ipa3-rhel6.local:7389} 560d7d770000 nsds50ruv: {replica 1196 ldap://ip4-rhel7.local:389} 56137c31000004 nsds50ruv: {replica 1191 ldap://ipa4-rhel7.local:389} 5613a7ac00000 nsds50ruv: {replica 1275 ldap://ipa003.mgmt.prod.local:389} 56797be nsds50ruv: {replica 1390 ldap://ipa002.mgmt.paas.local:389} 5787bb9 nsds50ruv: {replica 1595 ldap://ipa002.mgmt.paas.local:389} 5787db0 nsds50ruv: {replica 1590 ldap://ipa003.mgmt.paas.local:389} 5787e0f -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Tue Jul 19 17:30:35 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 19 Jul 2016 17:30:35 +0000 (UTC) Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <173086422.1447761.1468949435363.JavaMail.yahoo@mail.yahoo.com> Sorry, I typed things out instead of copy/paste my etc hosts looks like: search ?ad.local127.0.0.1 ? ? ? localhost # The following lines are desirable for IPv6 capable hosts::1 ? ? localhost ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters 10.10.10.1 ? ? ? ? ipa_server.ipa.internal ? ?ipa_server172.19.10.10 ? ? ad_server1.ad.local172.19.10.10 ? ? ad_server2.ad.local172.19.10.10 ? ? ad_server3.ad.local If you want I can send you the sssd logs again From: Sumit Bose To: pgb205 Cc: Freeipa-users Sent: Tuesday, July 19, 2016 3:33 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust On Mon, Jul 18, 2016 at 09:21:07PM +0000, pgb205 wrote: > Sumit, > > I have set the names of all the Domain Controllers to be resolvable to the IP > of the one reachable Domain Controller in /etc/hosts > > /etc/hosts: > Reachable_IP_BOX? 172.10.10.1 > DC1? ? ? ? ? ? ? ? ? ? ? ? ? ? 172.10.10.1 > DC2? ? ? ? ? ? ? ? ? ? ? ? ? ? 172.10.10.1 > ... > ... The IP address should come first, please see man hosts for details. > > However, I still see the following > Marking SRV lookup of service 'gc_addomain.local' as 'neutral' > Marking server dc1.addomain.local' as 'name not resolved' Have you tried to add the fully-qualified names (dc1.addomain.local) in the right format (see above) to /etc/hosts? > > > Additionally I have configured > [domain/ipa.internal] >? ? ? with > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > > As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be > the old hostname of the IPA KDC. > After much troubleshooting I believe I got this fixed by deleting? extra > folders in > /var/named/dyndb-ldap/ipa/master > Right now the only two folders are ipa.internal and .in-addr.arpa. > I think this is what helped with this issue. but can you please confirm if it > sounds reasonable. Not sure how you got the additional directories but if on only have a single IPA DNS domain the two directories are sufficient. bye, Sumit > > > Ssh is still failing, possibly due to the problem 1 above. Is there anything > else I can do to force ipa to pay attention to the /etc/hosts ? > Or is this some other issue? > > thanks > ??????????????????????????????????????????????????????????????????????????????? > From: Sumit Bose > To: pgb205 > Cc: Sumit Bose ; Freeipa-users > Sent: Wednesday, July 13, 2016 5:43 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > > +freeipa-users list > > > >? ? ? From: pgb205 > >? To: Sumit Bose > >? Sent: Tuesday, July 12, 2016 2:12 PM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > >? > > Sumit, thanks for replying > > So the first issue is my fault, probably from when I was sanitizing logs. > > our active directory domain is ad_domain.local, but users would expect to > login as userid at ad_domain.com or just userid.for ipa the kerberos realm is > IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > > ewr-fipa_server used to be old trial server so I am not sure why it's still > in the dns lookup results. I'll check this part further. > > Lastly. only the connection to one of the domain controllers on AD side is > open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, > a connection to this single, accessible domain controller. Are there any other > files where I would needto lock down the connections between ipa->ad so that > all traffic goes to specific active directory domain controller? > > thanks again for replying so quickly. > > Currently it is not possible to specify individual AD DC SSSD on the IPA > server should talk to. We have ticket > https://fedorahosted.org/sssd/ticket/2599 to make this possible in some > later versions of SSSD. > > Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to > get a list of AD DC, then picks one to get the next nearest site for the > IPA domain and finally tries to lookup a DC from the matching site (if > any). > > According to your logs SSSD was able to find 18 DCs with the SRV lookup. > A call like > >? ? dig SRV _ldap._tcp.ad_domain.local > > on the IPA server should return the same list of 18 DCs. > > As a work-around, or better a hack, you might want to try to set the IP > address of all the 18 DC returned to the IP address of the only > accessible DC in /etc/hosts. This way SSSD should have no chance to > connect to a different DC. > > bye, > > Sumit > > > > >? ? ? From: Sumit Bose > >? To: pgb205 > > Cc: Sumit Bose > >? Sent: Tuesday, July 12, 2016 5:37 AM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > > Sumit, > > > sssd log files attached with debug=10 in all sections.I have attempted > several logins for comparison as well as kinit commands > > > > I came across two issues in the logs. > > > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > > FreeIPA cannot resolve those principals correctly. It was planned for > > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > > please try to work-around suggested at the end of > > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > > for "Cannot contact any KDC for requested realm". > > > > Second there are some issues access AD DCs via LDAP. SSSD tries to > > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > > both fails. It is not clear from the logs if already the DNS lookup for > > those fails or if the connection itself runs into a timeout. In the > > former case you should make sure that the names can be resolved in the > > IPA server in the latter you can try to increase ldap_network_timeout > > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > > switches the AD domains to offline. The authentication request is > > handled offline as well but since there are no cached credentials you > > get the permission denied error. > > > > HTH > > > > bye, > > Sumit > > > > > > > >? ? ? From: Sumit Bose > > >? To: pgb205 > > > Cc: "Freeipa-users at redhat.com" > > >? Sent: Monday, July 11, 2016 3:06 AM > > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > >? > > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > > I have successfully established trust and am able to obtain ticket > granting ticketkinit user at AD_DOMAIN.COMI can also do kinit > admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > > > I have checked that there are no hbac rules other then the default > allow_all rule > > > > in sssd_ssh.log see > > > > permission denied (6) error in sssd_ipa.domain.log file I see > > > > pam_handler_callback 6 permission_denied > > > > in sssd_nss.log Unable to get information from Data ProviderError: 3 > Account info lookup failedWill try to return what we have in cache > > > > in /var/log/secure received for user user at AD_DOMAIN.COM: 6 (Permission > denied) > > > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > > > ----------Additionally, I would like to be able to login as user not > user at AD_DOMAIN.COM > > > > My understanding that only thing that I have to change to make this > happen is /etc/krb5.conffor line > > > > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa > services. > > > > > > No, please do not change the default_realm. This is not related to the > > > issues you are seeing. > > > > > > bye, > > > Sumit > > > > > > > However, when I do this I get failure to restart Samba service > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > >? > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jstephen at redhat.com Tue Jul 19 18:36:00 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Tue, 19 Jul 2016 14:36:00 -0400 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> Message-ID: <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> Hello, When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. Kind regards, Justin Stephenson On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > Hi, > > I am still fighting with storing user's POSIX attributes in AD. Please > can anybody provide some simple reference settings of IPA-AD trust > where users are able to get uid from AD - not from IPA ID pool ? > > I have tried to set values of attributes before and after creating > trust, I have tried different sssd setting but I'm still getting uid > from IPA idrange pool instead of from AD user's attribute. > > What exactly is IPA checking when it tries to decide what type of > trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > > Do I have to mandatory fill some AD user's attributes to get it work ? > Currently I'am testing just with uidNumber and gidNumber. > > There is almost no documentation about this topic so I don't know what > else I can try ... > > Thanks for help, > > Jan > > ------------------------------------------------------------------------ > > Date: Tue, 21 Jun 2016 21:38:15 +0200 > From: Jakub Hrozek > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD trust with POSIX attributes > Message-ID: <20160621193815.GS29512 at hendrix> > Content-Type: text/plain; charset=iso-8859-1 > > On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > > Hi all, > > > > I have a questions about IPA with AD forest trust. What I am trying > to do is setup environment, where all informations about users are > stored in one place - AD. I would like to read at least uid, home, > shell and sshkey from AD. > > > > I have set up trust with this parameters: > > > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix > --admin=administrator > > Did you add the POSIX attributes to AD after creating the trust maybe? > > > > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > > Range name: EXAMPLE.TT_id_range > > First Posix ID of the range: 1392000000 > > Number of IDs in the range: 200000 > > Domain SID of the trusted domain: > S-1-5-21-4123312533-990676102-3576722756 > > Range type: Active Directory trust range with POSIX attributes > > > > > > I have set attributes in AD for user at EXAMPLE.TT > > - uidNumber -10000 > > - homeDirectory -/home/user > > - loginShell - /bin/bash > > > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can > run id and getent passwd user at example.tt and I can use user at example.tt > for ssh. > > > > Problem is, that I am not getting uid from AD but from idrange: > > > > uid=1392001107(user at example.tt) > > > > Also I have tried to switch off id mapping in sssd.conf with > ldap_id_mapping = true in sssd.conf but no luck. > > This has no effect, in IPA-AD trust scenario, the id mapping properties > are managed on the server. > > > > > I know, that it is probably better to use ID views for this, but in > our case we need to set centrally managed environment, where all users > information are externally inserted to AD from HR system - included > POSIX attributes and we need IPA to read them from AD. > > I think idviews are better for overriding POSIX attributes for a > specific set of hosts, but in your environment, it sounds like you want > to use the POSIX attributes across the board. > > > > > So my questions are: > > > > Is it possible to read user's POSIX attributes directly from AD - > namely uid ? > > Yes > > > Which atributes can be stored in AD ? > > Homedir is a bit special, for backwards compatibility the > subdomains_homedir takes precedence. The others should be read from AD. > > I don't have the environment set at the moment, though, so I'm operating > purely from memory. > > > Am I doing something wrong ? > > > > my sssd.conf: > > [domain/a.example.tt] > > debug_level = 5 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = a.example.tt > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = ipa1.a.example.tt > > chpass_provider = ipa > > ipa_server = ipa1.a.example.tt > > ipa_server_mode = True > > ldap_tls_cacert = /etc/ipa/ca.crt > > #ldap_id_mapping = true > > #subdomain_inherit = ldap_user_principal > > #ldap_user_principal = nosuchattribute > > > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > > > domains = a.example.tt > > [nss] > > debug_level = 5 > > homedir_substring = /home > > enum_cache_timeout = 2 > > entry_negative_timeout = 2 > > > > > > [pam] > > debug_level = 5 > > [sudo] > > > > [autofs] > > > > [ssh] > > debug_level = 4 > > [pac] > > > > debug_level = 4 > > [ifp] > > > > Thanks, > > Jan > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Tue Jul 19 19:28:25 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 19 Jul 2016 19:28:25 +0000 (UTC) Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <55011995.1493244.1468956506002.JavaMail.yahoo@mail.yahoo.com> well...I'm not sure what I changed, if anything, but I am able to login with my AD credentials. I have restarted ipa server and cleared sss_cache, so maybe that helped. A few other things still remain though: right now im logging in as jsmith at ADDOMAIN.LOCALI would want it to be either jsmith at ADDOMAIN.COMor better yetjsmith ?--without specifying the domain name. How can this be accomplished? thanks From: Sumit Bose To: pgb205 Cc: Freeipa-users Sent: Tuesday, July 19, 2016 3:33 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust On Mon, Jul 18, 2016 at 09:21:07PM +0000, pgb205 wrote: > Sumit, > > I have set the names of all the Domain Controllers to be resolvable to the IP > of the one reachable Domain Controller in /etc/hosts > > /etc/hosts: > Reachable_IP_BOX? 172.10.10.1 > DC1? ? ? ? ? ? ? ? ? ? ? ? ? ? 172.10.10.1 > DC2? ? ? ? ? ? ? ? ? ? ? ? ? ? 172.10.10.1 > ... > ... The IP address should come first, please see man hosts for details. > > However, I still see the following > Marking SRV lookup of service 'gc_addomain.local' as 'neutral' > Marking server dc1.addomain.local' as 'name not resolved' Have you tried to add the fully-qualified names (dc1.addomain.local) in the right format (see above) to /etc/hosts? > > > Additionally I have configured > [domain/ipa.internal] >? ? ? with > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > > As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be > the old hostname of the IPA KDC. > After much troubleshooting I believe I got this fixed by deleting? extra > folders in > /var/named/dyndb-ldap/ipa/master > Right now the only two folders are ipa.internal and .in-addr.arpa. > I think this is what helped with this issue. but can you please confirm if it > sounds reasonable. Not sure how you got the additional directories but if on only have a single IPA DNS domain the two directories are sufficient. bye, Sumit > > > Ssh is still failing, possibly due to the problem 1 above. Is there anything > else I can do to force ipa to pay attention to the /etc/hosts ? > Or is this some other issue? > > thanks > ??????????????????????????????????????????????????????????????????????????????? > From: Sumit Bose > To: pgb205 > Cc: Sumit Bose ; Freeipa-users > Sent: Wednesday, July 13, 2016 5:43 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > > +freeipa-users list > > > >? ? ? From: pgb205 > >? To: Sumit Bose > >? Sent: Tuesday, July 12, 2016 2:12 PM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > >? > > Sumit, thanks for replying > > So the first issue is my fault, probably from when I was sanitizing logs. > > our active directory domain is ad_domain.local, but users would expect to > login as userid at ad_domain.com or just userid.for ipa the kerberos realm is > IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > > ewr-fipa_server used to be old trial server so I am not sure why it's still > in the dns lookup results. I'll check this part further. > > Lastly. only the connection to one of the domain controllers on AD side is > open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, > a connection to this single, accessible domain controller. Are there any other > files where I would needto lock down the connections between ipa->ad so that > all traffic goes to specific active directory domain controller? > > thanks again for replying so quickly. > > Currently it is not possible to specify individual AD DC SSSD on the IPA > server should talk to. We have ticket > https://fedorahosted.org/sssd/ticket/2599 to make this possible in some > later versions of SSSD. > > Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to > get a list of AD DC, then picks one to get the next nearest site for the > IPA domain and finally tries to lookup a DC from the matching site (if > any). > > According to your logs SSSD was able to find 18 DCs with the SRV lookup. > A call like > >? ? dig SRV _ldap._tcp.ad_domain.local > > on the IPA server should return the same list of 18 DCs. > > As a work-around, or better a hack, you might want to try to set the IP > address of all the 18 DC returned to the IP address of the only > accessible DC in /etc/hosts. This way SSSD should have no chance to > connect to a different DC. > > bye, > > Sumit > > > > >? ? ? From: Sumit Bose > >? To: pgb205 > > Cc: Sumit Bose > >? Sent: Tuesday, July 12, 2016 5:37 AM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > > Sumit, > > > sssd log files attached with debug=10 in all sections.I have attempted > several logins for comparison as well as kinit commands > > > > I came across two issues in the logs. > > > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > > FreeIPA cannot resolve those principals correctly. It was planned for > > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > > please try to work-around suggested at the end of > > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > > for "Cannot contact any KDC for requested realm". > > > > Second there are some issues access AD DCs via LDAP. SSSD tries to > > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > > both fails. It is not clear from the logs if already the DNS lookup for > > those fails or if the connection itself runs into a timeout. In the > > former case you should make sure that the names can be resolved in the > > IPA server in the latter you can try to increase ldap_network_timeout > > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > > switches the AD domains to offline. The authentication request is > > handled offline as well but since there are no cached credentials you > > get the permission denied error. > > > > HTH > > > > bye, > > Sumit > > > > > > > >? ? ? From: Sumit Bose > > >? To: pgb205 > > > Cc: "Freeipa-users at redhat.com" > > >? Sent: Monday, July 11, 2016 3:06 AM > > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > >? > > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > > I have successfully established trust and am able to obtain ticket > granting ticketkinit user at AD_DOMAIN.COMI can also do kinit > admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > > > I have checked that there are no hbac rules other then the default > allow_all rule > > > > in sssd_ssh.log see > > > > permission denied (6) error in sssd_ipa.domain.log file I see > > > > pam_handler_callback 6 permission_denied > > > > in sssd_nss.log Unable to get information from Data ProviderError: 3 > Account info lookup failedWill try to return what we have in cache > > > > in /var/log/secure received for user user at AD_DOMAIN.COM: 6 (Permission > denied) > > > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > > > ----------Additionally, I would like to be able to login as user not > user at AD_DOMAIN.COM > > > > My understanding that only thing that I have to change to make this > happen is /etc/krb5.conffor line > > > > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa > services. > > > > > > No, please do not change the default_realm. This is not related to the > > > issues you are seeing. > > > > > > bye, > > > Sumit > > > > > > > However, when I do this I get failure to restart Samba service > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > >? > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at ifuzioncorp.com Tue Jul 19 19:42:54 2016 From: jeremy at ifuzioncorp.com (Jeremy Utley) Date: Tue, 19 Jul 2016 14:42:54 -0500 Subject: [Freeipa-users] FreeIPA SSL certificates installed to multiple hosts Message-ID: Hello all! We're looking at replacing a lot of our currently self-signed internal SSL certificates in our infrastructure with certificates generated by the FreeIPA CA. However, I've run into something that I haven't been able to find documented as of yet, and I'm hoping some of you can point me in the right direction. Some of our internal SSL sites are load-balanced between multiple hosts, so we end up with the same SSL/Key installed to each host. For example: hostname.domain.com is hosted on hostA and hostB. Both hostA and hostB have the certs at /etc/httpd/certs/ hostname.domain.com/hostname.crt, and the private key at /etc/httpd/certs/ hostname.domain.com/hostname.key I would expect I can have both hostA and hostB be able to work with the FreeIPA certificates by adding additional ipa host-add-managedby and ipa service-add-host commands, to specify both hostA and hostB. However, from my understanding, running the "ipa-getcert request" command on hostA will put the certs on hostA only, and I'd need the same certs on both hostA and hostB. Is there a special ipa-getcert incantation that can retrieve the already-issued certificate files, and allow them to be managed by FreeIPA on both hosts? Or is there another recommended way of doing this? Thanks for any info you can give me! Jeremy Utley -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 19 20:29:28 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Jul 2016 16:29:28 -0400 Subject: [Freeipa-users] FreeIPA SSL certificates installed to multiple hosts In-Reply-To: References: Message-ID: <578E8DA8.5030501@redhat.com> Jeremy Utley wrote: > Hello all! > > We're looking at replacing a lot of our currently self-signed internal > SSL certificates in our infrastructure with certificates generated by > the FreeIPA CA. However, I've run into something that I haven't been > able to find documented as of yet, and I'm hoping some of you can point > me in the right direction. Some of our internal SSL sites are > load-balanced between multiple hosts, so we end up with the same SSL/Key > installed to each host. For example: > > hostname.domain.com is hosted on hostA and > hostB. > > Both hostA and hostB have the certs at > /etc/httpd/certs/hostname.domain.com/hostname.crt > , and the private key at > /etc/httpd/certs/hostname.domain.com/hostname.key > > > I would expect I can have both hostA and hostB be able to work with the > FreeIPA certificates by adding additional ipa host-add-managedby and ipa > service-add-host commands, to specify both hostA and hostB. However, > from my understanding, running the "ipa-getcert request" command on > hostA will put the certs on hostA only, and I'd need the same certs on > both hostA and hostB. Is there a special ipa-getcert incantation that > can retrieve the already-issued certificate files, and allow them to be > managed by FreeIPA on both hosts? Or is there another recommended way > of doing this? > > Thanks for any info you can give me! > IPA doesn't have any provision for sharing keys between machines. I think you'd need to manage it similar to the way you probably do now: manually copying files around. What you can do is setup one machine to "own" the certs and keys and do the renewals via certmonger, but beyond that you're on your own. rob From pgb205 at yahoo.com Tue Jul 19 21:12:25 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 19 Jul 2016 21:12:25 +0000 (UTC) Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: <20160704040259.33yzk72zdouj6a44@redhat.com> References: <193259965.1531799.1467310864326.JavaMail.yahoo.ref@mail.yahoo.com> <193259965.1531799.1467310864326.JavaMail.yahoo@mail.yahoo.com> <20160701073704.bfwctcictvxin5cr@redhat.com> <1418706071.801742.1467603366130.JavaMail.yahoo@mail.yahoo.com> <20160704040259.33yzk72zdouj6a44@redhat.com> Message-ID: <1317326516.1599020.1468962745442.JavaMail.yahoo@mail.yahoo.com> Alexander,? regarding your comment about putting stanza on each client.In our case clients are not on the same network as the Active Directory domain controller.My plan was to have the Freeipa server as the bridge-head server? AD DC <-> FIPA server ?<-> Linux clients as it sits on the network that has access to both environments. 1. If each client has to go out to AD DC to authenticate than what is the purpose of FreeIPA server ? I thought it would act as a proxy to forward authentication requests to AD. 2. What would be my options in the above situation to get around this requirement -- direct connectivity to Active Directoryenvironment by clients? thanks? From: Alexander Bokovoy To: pgb205 Cc: Freeipa-users Sent: Monday, July 4, 2016 12:02 AM Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing. On Mon, 04 Jul 2016, pgb205 wrote: >Selinux is disabled on the server. However, I managed to fix the problem buy adding the AD.DOMAIN {}? >section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like?[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...} >AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...} >this had the desired effect although I am not 100 clear on why this worked. >My theory is that we have multiple domain controllers and of course the >addomain.com forward zone that was configured prior?returns a full >list. Only the ports to the one ad.dc.addomain.com server have been >opened between the ipa and ad servers and so?when trust command is >executed connection goes to some domain controller that IPA can't >connect to, eventually generating an error.? Just a theory for now. It is a totally plausible theory -- when we do trust-fetch-domains, we try to use Kerberos authentication against AD DCs. Forcing IPA master to use specific domain controller via krb5.conf should help here. Note that you'll need to have a similar stanza on each IPA client as well because authentication happens directly to AD DCs and SSSD on IPA clients will have to do the same job using AD user credentials in case of password logons. >thanks > >? ? ? From: Alexander Bokovoy > To: pgb205 >Cc: "bentech4you at gmail.com" ; Freeipa-users > Sent: Friday, July 1, 2016 3:37 AM > Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing. > >On Thu, 30 Jun 2016, pgb205 wrote: >>Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. >I'm currently on vacation and don't have access to my lab, but you need >to check if there are any problems with SELinux. 'ipa >trust-fetch-domains' calls out via DBus to another script. It is >functionally equivalent to the following command run as root: > ># oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test > >where ad.test is your AD root domain. > >If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this >run will generate a lot of debug information. > > >-- >/ Alexander Bokovoy > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Tue Jul 19 23:16:47 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Tue, 19 Jul 2016 19:16:47 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <578E3E45.1040904@redhat.com> References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> Message-ID: Great! That worked, and I was successfully renewed the certificates on the IPA server and I was trying to create a IPA replica server and got an error, [root at neit-lab ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders --skip-conncheck /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager (existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname neit-lab.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host neit-lab.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET -ca_server_cert_subject_name CN=neit-lab.teloip.net,O=TELOIP.NET -ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET -ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://caer.teloip.net:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed [root at neit-lab ~]# I did a clean up using /usr/sbin/ipa-server-install --uninstall but it wasn't helpful. Wondering if you can help us on this, On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden wrote: > Linov Suresh wrote: > >> I have followed Redhat official documentation, >> https://access.redhat.com/solutions/643753 for certificate renewal, >> which says *add: usercertificate. (step 12)* >> * >> * >> While on the other hand FreeIPA official documentaion >> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add: >> usercertificate;binary* >> >> Just wondering if we need to*add *the certificate? or*replace* the >> existing certificate and which format do we need to use? *pem* or *der*. >> >> We already successfully renewed the certificates about months back, but >> they were expired about 6 months back and we were not able to renew till >> now, and is affected our production environment. >> >> Pleas help us. >> > > You shouldn't have to mess with these values at all. In 3.0 this is > handled somewhat automatically. > > I'd restart the CA, then certmonger and see if the communication error > goes away for the CA subservice certificates (the internal error). > > # service pki-cad restart > > # service certmonger restart > > I find it very strange that the certificates were set to expire yesterday > but it isn't a show-stopper necessarily assuming you can get the CA back up. > > Assuming you can, then go back in time again, this time just a few days > and try renewing the LDAP and Apache server certs again. > > rob > > >> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > > wrote: >> >> We have cloned and created another virtual server from the template. >> Surprisingly this server certificates were also expired at the same >> time as the previous, just lasted for a day. >> This issue has something to do with the kerberos tickets? >> >> I am new to IPA and your help is highly appreciated. >> >> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh >> > wrote: >> >> *Update: my webserver and LDAP certificates were expired at >> 2016-07-18 15:54:36 UTC and the certificates are in >> CA_UNREACHABLE state.* >> * >> * >> *Could you please help us? >> * >> >> [root at caer tmp]# getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20111214223243': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 >> (libcurl failed to execute the HTTP POST transaction. Peer >> certificate cannot be authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=caer.teloip.net >> ,O=TELOIP.NET >> *expires: 2016-07-18 15:54:36 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223300': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 >> (libcurl failed to execute the HTTP POST transaction. Peer >> certificate cannot be authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=caer.teloip.net >> ,O=TELOIP.NET >> *expires: 2016-07-18 15:54:52 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223316': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 >> (libcurl failed to execute the HTTP POST transaction. Peer >> certificate cannot be authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=caer.teloip.net >> ,O=TELOIP.NET >> *expires: 2016-07-18 15:55:04 UTC* >> >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130519130741': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=CA Audit,O=TELOIP.NET >> expires: 2017-10-13 14:10:49 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130742': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=OCSP Subsystem,O=TELOIP.NET < >> http://TELOIP.NET> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130743': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=CA Subsystem,O=TELOIP.NET > > >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130744': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=RA Subsystem,O=TELOIP.NET > > >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130519130745': >> status: MONITORING >> ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> subject: CN=caer.teloip.net >> ,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET >> " >> track: yes >> auto-renew: yes >> >> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh >> > wrote: >> >> Yes, PKI is running and I don't see any errors in selftests, >> I have followed https://access.redhat.com/solutions/643753 >> and restarted the PKI in step 10. >> >> The only change which I made was clean >> up userCertificate;binary before adding new >> userCertificatein LDAP, which is step 12. >> >> >> [root at caer ~]# /etc/init.d/pki-cad status >> pki-ca (pid 8634) is running... [ >> OK ] >> Unsecure Port = >> http://caer.teloip.net:9180/ca/ee/ca >> Secure Agent Port = >> https://caer.teloip.net:9443/ca/agent/ca >> Secure EE Port = >> https://caer.teloip.net:9444/ca/ee/ca >> Secure Admin Port = >> https://caer.teloip.net:9445/ca/services >> EE Client Auth Port = >> https://caer.teloip.net:9446/ca/eeca/ca >> PKI Console Port = pkiconsole >> https://caer.teloip.net:9445/ca >> Tomcat Port = 9701 (for shutdown) >> >> PKI Instance Name: pki-ca >> >> PKI Subsystem Type: Root CA (Security Domain) >> >> Registered PKI Security Domain Information: >> >> >> ========================================================================== >> Name: IPA >> URL: https://caer.teloip.net:9445 >> >> >> ========================================================================== >> [root at caer ~]# >> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading all self test plugin logger >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading all self test plugin instances >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading all self test plugin instance >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading self test plugins in on-demand >> order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading self test plugins in startup order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: Self test plugins have been successfully >> loaded! >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> SelfTestSubsystem: Running self test plugins specified to be >> executed at startup: >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: >> CA is present >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> SystemCertsVerification: system certs verification success >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> SelfTestSubsystem: All CRITICAL self test plugins ran >> SUCCESSFULLY at startup! >> >> Your help is highly appreciated! >> >> Linov Suresh >> >> 70 Forest Manor Rd. >> Toronto >> ON M2J 0A9 >> Mobile: +1 647 406 9438 >> Linkedin: ca.linkedin.com/in/linov/ >> >> Website: http://mylinuxthoughts.blogspot.com >> >> >> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik >> > wrote: >> >> On 07/18/2016 05:45 AM, Linov Suresh wrote: >> > Thanks for the update Rob. I went back to Jan 20, 2016, >> restarted CA and >> > certmonger. Look like certificates were renewed. But >> I'm getting a different >> > error now, >> > >> > *ca-error: Internal error: no response to >> > >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> >> Is PKI running? When you change the time, does restart >> of IPA help? >> >> > >> > [root at caer ~]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> > >> > expires: 2016-07-18 15:54:36 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> > >> > expires: 2016-07-18 15:54:52 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> > >> > expires: 2016-07-18 15:55:04 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> > certificate: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=CA Audit,O=TELOIP.NET >> >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> > certificate: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=OCSP Subsystem,O=TELOIP.NET >> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> > certificate: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=CA Subsystem,O=TELOIP.NET >> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=RA Subsystem,O=TELOIP.NET >> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> /usr/lib64/ipa/certmonger/restart_httpd >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> > certificate: >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> > subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> > >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET >> > " >> > track: yes >> > auto-renew: yes >> > [root at caer ~]# >> > >> > Your help is highly appreciated! >> > >> > >> > >> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden < >> rcritten at redhat.com >> > > >> >> wrote: >> > >> > Linov Suresh wrote: >> > >> > I logged into my IPA master, and found that >> the cert had expired again, >> > we renewed these certificates about 18 months >> ago. >> > >> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >> > >> > >> > I followed the Redhat documentation,How do >> I manually renew Identity >> > Management (IPA) certificates after they >> have expired? (Master IPA >> > Server), >> https://access.redhat.com/solutions/643753 but no luck. >> > >> > >> > I have also changed the directive >> "NSSEnforceValidCerts off" in >> > /etc/httpd/conf.d/nss.conf and the value of >> nsslapd-validate-cert is warn. >> > >> > ldapsearch -x -h localhost -p 7389 -D >> 'cn=directory manager' -w ******* >> > -b cn=config | grep nsslapd-validate-cert >> > >> > nsslapd-validate-cert: warn >> > >> > Here is my getcert list, >> > >> > [root at caer ~]# getcert list >> > >> > >> > It looks like your CA subsystem certificates all >> renewed successfully it is >> > just the webserver and LDAP certificates that >> need renewing so that's good. >> > >> > What I'd do is go back in time again to say Jan >> 20, 2016 and restart >> > certmonger. That should make it retry the renewals. >> > >> > rob >> > >> > >> > >> > >> >> >> >> -- >> Petr Vobornik >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Tue Jul 19 23:28:06 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 20 Jul 2016 09:28:06 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160719064058.GA7639@hendrix> References: <20160711071538.GW2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> <20160719064058.GA7639@hendrix> Message-ID: On 19 July 2016 at 16:40, Jakub Hrozek wrote: > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > I think the thing that frustrates the most is that id user at domain.com is > > returning correct data on both but they can't login....and I can't even > > show that this is the case because now they can login. Difficult to > > reproduce :/ > > Debugging from HBAC should at least tell you why the rules didn't > match... > Sorry, I should have been clear - the issue is exactly the same. HBAC rejected the user because they weren't in the correct groups, but sssd hadn't got the correct number of groups from the AD server, and had missed the group in question. This is the user that reported the issue yesterday morning: [root at vmpr-linuxidm ~]# id "lupat richard"@petermac.org.au | tr "," "\n" | wc -l 22 Here are the relevant lines from the log. (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [Computing Cluster] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [Computing Cluster] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Computing Cluster] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [Computing Cluster] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [Computing Cluster] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [12] groups for [Lupat Richard] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=.Research Bioinformatics Students Reading Group,OU=Distribution Groups,OU=Research,OU=User Accounts,OU=User Accounts,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=.Research Assistants,OU=Distribution Groups,OU=Research,OU=User Accounts,OU=User Accounts,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=Bioinf-Cluster,OU=Security Groups,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=External - Exchange 2010 Users,OU=SOE & IT,OU=Security Groups,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=VPN Access - General,OU=Security Groups,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=.Mac Users,OU=!Exchange Distribution Groups,OU=User Accounts,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=Bioinf - Team,OU=!Security Groups,OU=User Accounts,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=.Research Bioinformatics,OU=!Exchange Distribution Groups,OU=User Accounts,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=DM_Outlook_Find,CN=Users,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected groups second component, got Users (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=RES_BioInformatics,OU=Department Groups,OU=Security Groups,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=.Research All Staff,OU=Distribution Groups,OU=Research,OU=User Accounts,OU=User Accounts,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x1000): Parsing CN=Domain Users,OU=Domain Groups,OU=Security Groups,DC=petermac,DC=org,DC=au (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [get_ipa_groupname] (0x0020): Expected cn in second component, got OU (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_evaluate] (0x0100): [< hbac_evaluate() (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_evaluate] (0x0100): The rule [Computing Cluster] did not match. (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Tue Jul 19 10:07:53 2016) [sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Tue Jul 19 23:30:28 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Tue, 19 Jul 2016 23:30:28 +0000 Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <55011995.1493244.1468956506002.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> <55011995.1493244.1468956506002.JavaMail.yahoo@mail.yahoo.com> Message-ID: <0137003026EBE54FBEC540C5600C03C436F88A@PMC-EXMBX02.petermac.org.au> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of pgb205 Sent: Wednesday, 20 July 2016 5:28 AM To: Sumit Bose Cc: Freeipa-users Subject: Re: [Freeipa-users] Unable to ssh after establishing trust well...I'm not sure what I changed, if anything, but I am able to login with my AD credentials. I have restarted ipa server and cleared sss_cache, so maybe that helped. A few other things still remain though: right now im logging in as jsmith at ADDOMAIN.LOCAL I would want it to be either jsmith at ADDOMAIN.COM or better yet jsmith --without specifying the domain name. How can this be accomplished? [Lachlan Simpson] You are looking for the default_domain_suffix setting in the sssd stanza of /etc/sssd/sssd.conf https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-user-ids.html Cheers L. thanks ________________________________ From: Sumit Bose > To: pgb205 > Cc: Freeipa-users > Sent: Tuesday, July 19, 2016 3:33 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust On Mon, Jul 18, 2016 at 09:21:07PM +0000, pgb205 wrote: > Sumit, > > I have set the names of all the Domain Controllers to be resolvable to the IP > of the one reachable Domain Controller in /etc/hosts > > /etc/hosts: > Reachable_IP_BOX 172.10.10.1 > DC1 172.10.10.1 > DC2 172.10.10.1 > ... > ... The IP address should come first, please see man hosts for details. > > However, I still see the following > Marking SRV lookup of service 'gc_addomain.local' as 'neutral' > Marking server dc1.addomain.local' as 'name not resolved' Have you tried to add the fully-qualified names (dc1.addomain.local) in the right format (see above) to /etc/hosts? > > > Additionally I have configured > [domain/ipa.internal] > with > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > > As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be > the old hostname of the IPA KDC. > After much troubleshooting I believe I got this fixed by deleting extra > folders in > /var/named/dyndb-ldap/ipa/master > Right now the only two folders are ipa.internal and .in-addr.arpa. > I think this is what helped with this issue. but can you please confirm if it > sounds reasonable. Not sure how you got the additional directories but if on only have a single IPA DNS domain the two directories are sufficient. bye, Sumit > > > Ssh is still failing, possibly due to the problem 1 above. Is there anything > else I can do to force ipa to pay attention to the /etc/hosts ? > Or is this some other issue? > > thanks > ??????????????????????????????????????????????????????????????????????????????? > From: Sumit Bose > > To: pgb205 > > Cc: Sumit Bose >; Freeipa-users > > Sent: Wednesday, July 13, 2016 5:43 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > > +freeipa-users list > > > > From: pgb205 > > > To: Sumit Bose > > > Sent: Tuesday, July 12, 2016 2:12 PM > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > Sumit, thanks for replying > > So the first issue is my fault, probably from when I was sanitizing logs. > > our active directory domain is ad_domain.local, but users would expect to > login as userid at ad_domain.com or just userid.for ipa the kerberos realm is > IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > > ewr-fipa_server used to be old trial server so I am not sure why it's still > in the dns lookup results. I'll check this part further. > > Lastly. only the connection to one of the domain controllers on AD side is > open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, > a connection to this single, accessible domain controller. Are there any other > files where I would needto lock down the connections between ipa->ad so that > all traffic goes to specific active directory domain controller? > > thanks again for replying so quickly. > > Currently it is not possible to specify individual AD DC SSSD on the IPA > server should talk to. We have ticket > https://fedorahosted.org/sssd/ticket/2599 to make this possible in some > later versions of SSSD. > > Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to > get a list of AD DC, then picks one to get the next nearest site for the > IPA domain and finally tries to lookup a DC from the matching site (if > any). > > According to your logs SSSD was able to find 18 DCs with the SRV lookup. > A call like > > dig SRV _ldap._tcp.ad_domain.local > > on the IPA server should return the same list of 18 DCs. > > As a work-around, or better a hack, you might want to try to set the IP > address of all the 18 DC returned to the IP address of the only > accessible DC in /etc/hosts. This way SSSD should have no chance to > connect to a different DC. > > bye, > > Sumit > > > > > From: Sumit Bose > > > To: pgb205 > > > Cc: Sumit Bose > > > Sent: Tuesday, July 12, 2016 5:37 AM > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > > Sumit, > > > sssd log files attached with debug=10 in all sections.I have attempted > several logins for comparison as well as kinit commands > > > > I came across two issues in the logs. > > > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > > FreeIPA cannot resolve those principals correctly. It was planned for > > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > > please try to work-around suggested at the end of > > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > > for "Cannot contact any KDC for requested realm". > > > > Second there are some issues access AD DCs via LDAP. SSSD tries to > > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > > both fails. It is not clear from the logs if already the DNS lookup for > > those fails or if the connection itself runs into a timeout. In the > > former case you should make sure that the names can be resolved in the > > IPA server in the latter you can try to increase ldap_network_timeout > > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > > switches the AD domains to offline. The authentication request is > > handled offline as well but since there are no cached credentials you > > get the permission denied error. > > > > HTH > > > > bye, > > Sumit > > > > > > > > From: Sumit Bose > > > > To: pgb205 > > > > Cc: "Freeipa-users at redhat.com" > > > > Sent: Monday, July 11, 2016 3:06 AM > > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > > I have successfully established trust and am able to obtain ticket > granting ticketkinit user at AD_DOMAIN.COMI can also do kinit > admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > > however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails > > > > I have checked that there are no hbac rules other then the default > allow_all rule > > > > in sssd_ssh.log see > > > > permission denied (6) error in sssd_ipa.domain.log file I see > > > > pam_handler_callback 6 permission_denied > > > > in sssd_nss.log Unable to get information from Data ProviderError: 3 > Account info lookup failedWill try to return what we have in cache > > > > in /var/log/secure received for user user at AD_DOMAIN.COM: 6 (Permission > denied) > > > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > > > ----------Additionally, I would like to be able to login as user not > user at AD_DOMAIN.COM > > > > My understanding that only thing that I have to change to make this > happen is /etc/krb5.conffor line > > > > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa > services. > > > > > > No, please do not change the default_realm. This is not related to the > > > issues you are seeing. > > > > > > bye, > > > Sumit > > > > > > > However, when I do this I get failure to restart Samba service > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > > > > > > > > This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: From visakh.mv at sisplc.net Wed Jul 20 03:57:34 2016 From: visakh.mv at sisplc.net (Visakh MV) Date: Wed, 20 Jul 2016 09:27:34 +0530 Subject: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04 In-Reply-To: References: Message-ID: Hi, first case: As per your direction, things are going well even if we are facing some issues as well. even like once logged in to ipa-client machine with ipa user with certain privilege after that while using terminal " TAB" and " Arrow " keys have not working. due to the same we can not use the system properly. second case: if any policy would have to edit at any certain reason then it will not update it with at real time, it could take some time to update new changes. is there any command to update at real time? third case: what are the sudo rule option? only one sudo option you have shared across the doc " !authenticate " has working fine. and it will not take other custom options. example: I added one sudo option inside sudo rule like " rootprivilege " but its showing one error on client machine while checking allowed commands. Please revert back. On Fri, Jul 15, 2016 at 10:41 AM, Visakh MV wrote: > Hi Team, > > Could you provide the client setup guide for Ubuntu systems. And we are > using FreeIPA 4.2.0 version. it's been a while trying to find the document > for Ubuntu with latest version FreeIPA Server, even now can not find the > doc. so kindly provide the same doc via mail as soon as good. > > even if tried some solution that could find out from internet as well but > still its not help us. > > -- > > Thanks & Regards, > > *Visakh m.v* > > *Support Engineer* > > Soffit Infrastructure Services (P) Ltd | Raj Bhavan | Power House Road | > Palarivattom|Kochi-25 | Kerala | India. > > (M) +91-9497714447|(O) 0484-3045663,0484-3931393|Web:www.soffit.in > > Managed Services | Technical Services | Infrastructure Consulting | Audits > & Assessments > > DISCLAIMER : This email, which includes any attachments, is confidential, > may be privileged and is intended solely for the use of the named > recipient(s). If you are not the intended recipient, do not disclose, > distribute, or retain it, and please notify the sender immediately and > delete the e-mail. E-mail is not necessarily secure or error free. It is > your responsibility to ensure that e-mails are virus free. No one may > conclude a contract on behalf of SOFFIT by e-mail without express written > confirmation by a duly authorised representative of SOFFIT. Any views > expressed in this e-mail are not necessarily those of SOFFIT. SOFFIT > accepts no responsibility for any loss or damages arising in any way from > the use of this e-mail as a means of communication. > -- Thanks & Regards, *Visakh m.v* *Support Engineer* Soffit Infrastructure Services (P) Ltd | Raj Bhavan | Power House Road | Palarivattom|Kochi-25 | Kerala | India. (M) +91-9497714447|(O) 0484-3045663,0484-3931393|Web:www.soffit.in Managed Services | Technical Services | Infrastructure Consulting | Audits & Assessments DISCLAIMER : This email, which includes any attachments, is confidential, may be privileged and is intended solely for the use of the named recipient(s). If you are not the intended recipient, do not disclose, distribute, or retain it, and please notify the sender immediately and delete the e-mail. E-mail is not necessarily secure or error free. It is your responsibility to ensure that e-mails are virus free. No one may conclude a contract on behalf of SOFFIT by e-mail without express written confirmation by a duly authorised representative of SOFFIT. Any views expressed in this e-mail are not necessarily those of SOFFIT. SOFFIT accepts no responsibility for any loss or damages arising in any way from the use of this e-mail as a means of communication. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Jul 20 07:14:17 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 20 Jul 2016 09:14:17 +0200 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: References: <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> <20160719064058.GA7639@hendrix> Message-ID: <20160720071417.GA20343@hendrix> On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > On 19 July 2016 at 16:40, Jakub Hrozek wrote: > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > I think the thing that frustrates the most is that id user at domain.com is > > > returning correct data on both but they can't login....and I can't even > > > show that this is the case because now they can login. Difficult to > > > reproduce :/ > > > > Debugging from HBAC should at least tell you why the rules didn't > > match... > > > > > Sorry, I should have been clear - the issue is exactly the same. HBAC > rejected the user because they weren't in the correct groups, but sssd > hadn't got the correct number of groups from the AD server, and had missed > the group in question. Do you have the logs from the server and the client? If yes, feel free to send them in private mail if they are confidential, I'll try to find something in them. Specifying which groups are missing would help as well. From jhrozek at redhat.com Wed Jul 20 07:19:23 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 20 Jul 2016 09:19:23 +0200 Subject: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04 In-Reply-To: References: Message-ID: <20160720071923.GB20343@hendrix> On Wed, Jul 20, 2016 at 09:27:34AM +0530, Visakh MV wrote: > Hi, > > > first case: As per your direction, things are going well even if we are > facing some issues as well. even like once logged in to ipa-client machine > with ipa user with certain privilege after that while using terminal " TAB" > and " Arrow " keys have not working. due to the same we can not use the > system properly. I don't think keyboard keys have much to do with IPA. I wonder if the user has the shell you'd expect set or the correct homedir with your shell dotfiles? > > second case: if any policy would have to edit at any certain reason then it > will not update it with at real time, it could take some time to update new > changes. is there any command to update at real time? Depends on what do you need to update. But it's true that sssd caches a lot of information. For user and group data, you can call sss_cache. Please note that invalidating sudo rules with sss_cache was only added to sssd-1.14. > > third case: what are the sudo rule option? > > only one sudo option you have shared across the doc " !authenticate " has > working fine. and it will not take other custom options. > > example: I added one sudo option inside sudo rule like " rootprivilege " > but its showing one error on client machine while checking allowed > commands. I'm afraid you need to enable debugging and look a bit into the logs. We have an upstream sudo troubleshooting guide: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO From datakid at gmail.com Wed Jul 20 08:50:44 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 20 Jul 2016 18:50:44 +1000 Subject: [Freeipa-users] HBAC and AD users In-Reply-To: <20160720071417.GA20343@hendrix> References: <20160714074459.GO25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160715075629.GI4734@hendrix> <20160719064058.GA7639@hendrix> <20160720071417.GA20343@hendrix> Message-ID: Sure - I've got tomorrow off, so it will be Friday morning. cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 July 2016 at 17:14, Jakub Hrozek wrote: > On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > > On 19 July 2016 at 16:40, Jakub Hrozek wrote: > > > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > > I think the thing that frustrates the most is that id > user at domain.com is > > > > returning correct data on both but they can't login....and I can't > even > > > > show that this is the case because now they can login. Difficult to > > > > reproduce :/ > > > > > > Debugging from HBAC should at least tell you why the rules didn't > > > match... > > > > > > > > > Sorry, I should have been clear - the issue is exactly the same. HBAC > > rejected the user because they weren't in the correct groups, but sssd > > hadn't got the correct number of groups from the AD server, and had > missed > > the group in question. > > Do you have the logs from the server and the client? If yes, feel free > to send them in private mail if they are confidential, I'll try to > find something in them. > > Specifying which groups are missing would help as well. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.karasek at elostech.cz Wed Jul 20 12:15:47 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Wed, 20 Jul 2016 14:15:47 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> Message-ID: <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> Hi, thank you for the hint. In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. If I understand it right, it is base uid number and the number of uids in range. If not discovered nor given via CLI, then it generate random base and add some default_range_size. So these two attributes must be set to use ipa-ad-trust-posix range ? Could anybody help me how and where to check these attributes ? I have looked in the ldapsearch dump from my AD(Global calaog) and I can see these attributes only in schema - so no values assigned. I'm using W2012 R2. Thank you, Jan From: "Justin Stephenson" To: "Jan Kar?sek" , freeipa-users at redhat.com Sent: Tuesday, July 19, 2016 8:36:00 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes Hello, When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. Kind regards, Justin Stephenson On 07/19/2016 09:44 AM, Jan Kar?sek wrote: Hi, I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. There is almost no documentation about this topic so I don't know what else I can try ... Thanks for help, Jan Date: Tue, 21 Jun 2016 21:38:15 +0200 From: Jakub Hrozek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD trust with POSIX attributes Message-ID: <20160621193815.GS29512 at hendrix> Content-Type: text/plain; charset=iso-8859-1 On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. > > I have set up trust with this parameters: > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator Did you add the POSIX attributes to AD after creating the trust maybe? > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 1392000000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > > I have set attributes in AD for user at EXAMPLE.TT > - uidNumber -10000 > - homeDirectory -/home/user > - loginShell - /bin/bash > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. > > Problem is, that I am not getting uid from AD but from idrange: > > uid=1392001107( user at example.tt ) > > Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. This has no effect, in IPA-AD trust scenario, the id mapping properties are managed on the server. > > I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. I think idviews are better for overriding POSIX attributes for a specific set of hosts, but in your environment, it sounds like you want to use the POSIX attributes across the board. > > So my questions are: > > Is it possible to read user's POSIX attributes directly from AD - namely uid ? Yes > Which atributes can be stored in AD ? Homedir is a bit special, for backwards compatibility the subdomains_homedir takes precedence. The others should be read from AD. I don't have the environment set at the moment, though, so I'm operating purely from memory. > Am I doing something wrong ? > > my sssd.conf: > [domain/a.example.tt] > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #ldap_id_mapping = true > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = a.example.tt > [nss] > debug_level = 5 > homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > debug_level = 5 > [sudo] > > [autofs] > > [ssh] > debug_level = 4 > [pac] > > debug_level = 4 > [ifp] > > Thanks, > Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 20 14:08:34 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2016 10:08:34 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> Message-ID: <578F85E2.7010704@redhat.com> Glad you got the certificates successfully renewed. Can you open a new e-mail thread on this new problem so we can keep the issues separated? IPA gets little information back when dogtag fails to install. You need to look in /var/log//debug for more information. The exact location depends on the version of IPA. rob Linov Suresh wrote: > Great! That worked, and I was successfully renewed the certificates on > the IPA server and I was trying to create a IPA replica server and got > an error,[root at neit-lab ~]# ipa-replica-install > --setup-ca --setup-dns --no-forwarders --skip-conncheck > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager > (existing master) password: Configuring NTP daemon (ntpd) [1/4]: > stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to > start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). > Configuring directory server for the CA (pkids): Estimated time 30 > seconds [1/3]: creating directory server user [2/3]: creating directory > server instance [3/3]: restarting directory server Done configuring > directory server for the CA (pkids). Configuring certificate server > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating > certificate server user [2/17]: creating pki-ca instance [3/17]: > configuring certificate server instance ipa : CRITICAL failed to > configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent > ConfigureCA -cs_hostname neit-lab.teloip.net > -cs_port 9445 -client_certdb_dir > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email > root at localhost -admin_password XXXXXXXX > -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET > -ldap_host neit-lab.teloip.net -ldap_port > 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name > pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA > Subsystem,O=TELOIP.NET > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET > -ca_ocsp_cert_subject_name CN=OCSP > Subsystem,O=TELOIP.NET -ca_server_cert_subject_name > CN=neit-lab.teloip.net ,O=TELOIP.NET > -ca_audit_signing_cert_subject_name CN=CA > Audit,O=TELOIP.NET -ca_sign_cert_subject_name > CN=Certificate Authority,O=TELOIP.NET -external > false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX > -sd_hostname caer.teloip.net -sd_admin_port 443 > -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true > -clone_uri https://caer.teloip.net:443' > returned non-zero exit status 255 Your > system may be partly configured. Run /usr/sbin/ipa-server-install > --uninstall to clean up. Configuration of CA failed [root at neit-lab > ~]# > > I did a clean up using /usr/sbin/ipa-server-install --uninstall but it > wasn't helpful.Wondering if you can help us on this, > > > > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > wrote: > > Linov Suresh wrote: > > I have followed Redhat official documentation, > https://access.redhat.com/solutions/643753 for certificate renewal, > which says *add: usercertificate. (step 12)* > * > * > While on the other hand FreeIPA official documentaion > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to > *add: > usercertificate;binary* > > Just wondering if we need to*add *the certificate? or*replace* the > existing certificate and which format do we need to use? *pem* > or *der*. > > We already successfully renewed the certificates about months > back, but > they were expired about 6 months back and we were not able to > renew till > now, and is affected our production environment. > > Pleas help us. > > > You shouldn't have to mess with these values at all. In 3.0 this is > handled somewhat automatically. > > I'd restart the CA, then certmonger and see if the communication > error goes away for the CA subservice certificates (the internal error). > > # service pki-cad restart > > # service certmonger restart > > I find it very strange that the certificates were set to expire > yesterday but it isn't a show-stopper necessarily assuming you can > get the CA back up. > > Assuming you can, then go back in time again, this time just a few > days and try renewing the LDAP and Apache server certs again. > > rob > > > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > > >> > wrote: > > We have cloned and created another virtual server from the > template. > Surprisingly this server certificates were also expired at > the same > time as the previous, just lasted for a day. > This issue has something to do with the kerberos tickets? > > I am new to IPA and your help is highly appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh > > >> > wrote: > > *Update: my webserver and LDAP certificates were expired at > 2016-07-18 15:54:36 UTC and the certificates are in > CA_UNREACHABLE state.* > * > * > *Could you please help us? > * > > [root at caer tmp]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 > (libcurl failed to execute the HTTP POST transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > *expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 > (libcurl failed to execute the HTTP POST transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > *expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 > (libcurl failed to execute the HTTP POST transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > *expires: 2016-07-18 15:55:04 UTC* > > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: no > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=CA Audit,O=TELOIP.NET > > expires: 2017-10-13 14:10:49 UTC > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: no > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=OCSP Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: no > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=CA Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=RA Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: no > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB',pin='297100916664' > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > ,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET > > " > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh > > >> > wrote: > > Yes, PKI is running and I don't see any errors in > selftests, > I have followed > https://access.redhat.com/solutions/643753 > and restarted the PKI in step 10. > > The only change which I made was clean > up userCertificate;binary before adding new > userCertificatein LDAP, which is step 12. > > > [root at caer ~]# /etc/init.d/pki-cad status > pki-ca (pid 8634) is running... > [ > OK ] > Unsecure Port = > http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = > https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = > https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = > https://caer.teloip.net:9445/ca/services > EE Client Auth Port = > https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole > https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > > ========================================================================== > [root at caer ~]# > [root at caer ~]# tail -f /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading all self test plugin logger > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading all self test plugin > instances > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading all self test plugin > instance > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading self test plugins in > on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: loading self test plugins in > startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] > SelfTestSubsystem: Self test plugins have been > successfully > loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > SelfTestSubsystem: Running self test plugins > specified to be > executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > CAPresence: > CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > SystemCertsVerification: system certs verification > success > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] > SelfTestSubsystem: All CRITICAL self test plugins ran > SUCCESSFULLY at startup! > > Your help is highly appreciated! > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > > Linkedin: ca.linkedin.com/in/linov/ > > > Website: http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik > > >> wrote: > > On 07/18/2016 05:45 AM, Linov Suresh wrote: > > Thanks for the update Rob. I went back to Jan > 20, 2016, restarted CA and > > certmonger. Look like certificates were > renewed. But I'm getting a different > > error now, > > > > *ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".* > > Is PKI running? When you change the time, does > restart > of IPA help? > > > > > [root at caer ~]# getcert list > > Number of certificates and requests being > tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > expires: 2016-07-18 15:54:36 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > expires: 2016-07-18 15:54:52 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > expires: 2016-07-18 15:55:04 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=CA Audit,O=TELOIP.NET > > > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=OCSP > Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=CA > Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=RA > Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET > > > " > > track: yes > > auto-renew: yes > > [root at caer ~]# > > > > Your help is highly appreciated! > > > > > > > > On Fri, Jul 15, 2016 at 5:08 PM, Rob > Crittenden > > > > > > >>> wrote: > > > > Linov Suresh wrote: > > > > I logged into my IPA master, and > found that > the cert had expired again, > > we renewed these certificates about > 18 months > ago. > > > > Our environment is CentOS 6.4 and > IPA 3.0.0-26. > > > > > > I followed the Redhat > documentation,How do > I manually renew Identity > > Management (IPA) certificates > after they > have expired? (Master IPA > > Server), > https://access.redhat.com/solutions/643753 but no luck. > > > > > > I have also changed the directive > "NSSEnforceValidCerts off" in > > /etc/httpd/conf.d/nss.conf and the > value of > nsslapd-validate-cert is warn. > > > > ldapsearch -x -h localhost -p 7389 -D > 'cn=directory manager' -w ******* > > -b cn=config | grep > nsslapd-validate-cert > > > > nsslapd-validate-cert: warn > > > > Here is my getcert list, > > > > [root at caer ~]# getcert list > > > > > > It looks like your CA subsystem > certificates all > renewed successfully it is > > just the webserver and LDAP certificates > that > need renewing so that's good. > > > > What I'd do is go back in time again to > say Jan > 20, 2016 and restart > > certmonger. That should make it retry > the renewals. > > > > rob > > > > > > > > > > > > -- > Petr Vobornik > > > > > > > From jstephen at redhat.com Wed Jul 20 14:09:02 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Wed, 20 Jul 2016 10:09:02 -0400 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> Message-ID: <41e4334c-531f-0074-cc78-33668d319676@redhat.com> These attributes should be available from port 389 and not the global catalog, please try a command such as: ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber Replacing the root suffix in the search base, the ip-address and bind credentials. Kind regards, Justin Stephenson On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > Hi, > > thank you for the hint. > > In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > > It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > > If I understand it right, it is base uid number and the number of uids > in range. > > If not discovered nor given via CLI, then it generate random base and > add some default_range_size. > > So these two attributes must be set to use ipa-ad-trust-posix range ? > > Could anybody help me how and where to check these attributes ? I have > looked in the ldapsearch dump from my AD(Global calaog) and I can see > these attributes only in schema - so no values assigned. > I'm using W2012 R2. > > Thank you, > Jan > > > ------------------------------------------------------------------------ > *From: *"Justin Stephenson" > *To: *"Jan Kar?sek" , freeipa-users at redhat.com > *Sent: *Tuesday, July 19, 2016 8:36:00 PM > *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes > > Hello, > > When adding the AD trust using 'ipa-ad-trust-posix' range type then > IPA will search AD for the ID space of existing POSIX attributes to > automatically create a suitable ID range inside IPA. > > You can check the exact steps and attributes searched by looking at > the add_range function definition in > /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > > I would suggest reviewing the output of 'ipa idrange-find' to confirm > that the range matches up with the uid and gidNumbers of your AD > environment. > > Kind regards, > Justin Stephenson > > On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > > Hi, > > I am still fighting with storing user's POSIX attributes in AD. > Please can anybody provide some simple reference settings of > IPA-AD trust where users are able to get uid from AD - not from > IPA ID pool ? > > I have tried to set values of attributes before and after creating > trust, I have tried different sssd setting but I'm still getting > uid from IPA idrange pool instead of from AD user's attribute. > > What exactly is IPA checking when it tries to decide what type of > trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > > Do I have to mandatory fill some AD user's attributes to get it > work ? Currently I'am testing just with uidNumber and gidNumber. > > There is almost no documentation about this topic so I don't know > what else I can try ... > > Thanks for help, > > Jan > > ------------------------------------------------------------------------ > > Date: Tue, 21 Jun 2016 21:38:15 +0200 > From: Jakub Hrozek > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD trust with POSIX attributes > Message-ID: <20160621193815.GS29512 at hendrix> > Content-Type: text/plain; charset=iso-8859-1 > > On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > > Hi all, > > > > I have a questions about IPA with AD forest trust. What I am > trying to do is setup environment, where all informations about > users are stored in one place - AD. I would like to read at least > uid, home, shell and sshkey from AD. > > > > I have set up trust with this parameters: > > > > ipa trust-add EXAMPLE.TT --type=ad > --range-type=ipa-ad-trust-posix --admin=administrator > > Did you add the POSIX attributes to AD after creating the trust maybe? > > > > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > > Range name: EXAMPLE.TT_id_range > > First Posix ID of the range: 1392000000 > > Number of IDs in the range: 200000 > > Domain SID of the trusted domain: > S-1-5-21-4123312533-990676102-3576722756 > > Range type: Active Directory trust range with POSIX attributes > > > > > > I have set attributes in AD for user at EXAMPLE.TT > > - uidNumber -10000 > > - homeDirectory -/home/user > > - loginShell - /bin/bash > > > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I > can run id and getent passwd user at example.tt and I can use > user at example.tt for ssh. > > > > Problem is, that I am not getting uid from AD but from idrange: > > > > uid=1392001107(user at example.tt) > > > > Also I have tried to switch off id mapping in sssd.conf with > ldap_id_mapping = true in sssd.conf but no luck. > > This has no effect, in IPA-AD trust scenario, the id mapping > properties > are managed on the server. > > > > > I know, that it is probably better to use ID views for this, but > in our case we need to set centrally managed environment, where > all users information are externally inserted to AD from HR system > - included POSIX attributes and we need IPA to read them from AD. > > I think idviews are better for overriding POSIX attributes for a > specific set of hosts, but in your environment, it sounds like you > want > to use the POSIX attributes across the board. > > > > > So my questions are: > > > > Is it possible to read user's POSIX attributes directly from AD > - namely uid ? > > Yes > > > Which atributes can be stored in AD ? > > Homedir is a bit special, for backwards compatibility the > subdomains_homedir takes precedence. The others should be read > from AD. > > I don't have the environment set at the moment, though, so I'm > operating > purely from memory. > > > Am I doing something wrong ? > > > > my sssd.conf: > > [domain/a.example.tt] > > debug_level = 5 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = a.example.tt > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = ipa1.a.example.tt > > chpass_provider = ipa > > ipa_server = ipa1.a.example.tt > > ipa_server_mode = True > > ldap_tls_cacert = /etc/ipa/ca.crt > > #ldap_id_mapping = true > > #subdomain_inherit = ldap_user_principal > > #ldap_user_principal = nosuchattribute > > > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > > > domains = a.example.tt > > [nss] > > debug_level = 5 > > homedir_substring = /home > > enum_cache_timeout = 2 > > entry_negative_timeout = 2 > > > > > > [pam] > > debug_level = 5 > > [sudo] > > > > [autofs] > > > > [ssh] > > debug_level = 4 > > [pac] > > > > debug_level = 4 > > [ifp] > > > > Thanks, > > Jan > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Wed Jul 20 14:34:17 2016 From: pgb205 at yahoo.com (pgb205) Date: Wed, 20 Jul 2016 14:34:17 +0000 (UTC) Subject: [Freeipa-users] Unable to ssh after establishing trust In-Reply-To: <0137003026EBE54FBEC540C5600C03C436F88A@PMC-EXMBX02.petermac.org.au> References: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <1659850287.1691500.1468208818018.JavaMail.yahoo@mail.yahoo.com> <20160711070621.GV2919@p.Speedport_W_724V_Typ_A_05011603_00_009> <1996698843.2142828.1468271643988.JavaMail.yahoo@mail.yahoo.com> <20160712093709.GC25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1688890825.2743400.1468347175653.JavaMail.yahoo@mail.yahoo.com> <1763334849.2597718.1468348822679.JavaMail.yahoo@mail.yahoo.com> <20160713094332.GI25874@p.Speedport_W_724V_Typ_A_05011603_00_009> <1358648675.1061891.1468876867383.JavaMail.yahoo@mail.yahoo.com> <20160719073326.GF4387@p.Speedport_W_724V_Typ_A_05011603_00_009> <55011995.1493244.1468956506002.JavaMail.yahoo@mail.yahoo.com> <0137003026EBE54FBEC540C5600C03C436F88A@PMC-EXMBX02.petermac.org.au> Message-ID: <1565718485.1920272.1469025257877.JavaMail.yahoo@mail.yahoo.com> thank you! that was it From: Simpson Lachlan To: pgb205 ; Sumit Bose Cc: Freeipa-users Sent: Tuesday, July 19, 2016 7:30 PM Subject: RE: Re: [Freeipa-users] Unable to ssh after establishing trust #yiv1956000891 #yiv1956000891 -- _filtered #yiv1956000891 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 2 5 8 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 2 5 8 2 4;} _filtered #yiv1956000891 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv1956000891 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 2 5 8 2 4;}#yiv1956000891 #yiv1956000891 p.yiv1956000891MsoNormal, #yiv1956000891 li.yiv1956000891MsoNormal, #yiv1956000891 div.yiv1956000891MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv1956000891 a:link, #yiv1956000891 span.yiv1956000891MsoHyperlink {color:blue;text-decoration:underline;}#yiv1956000891 a:visited, #yiv1956000891 span.yiv1956000891MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv1956000891 span.yiv1956000891EmailStyle17 {color:windowtext;font-weight:normal;font-style:normal;}#yiv1956000891 span.yiv1956000891SpellE {}#yiv1956000891 .yiv1956000891MsoChpDefault {font-size:10.0pt;} _filtered #yiv1956000891 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv1956000891 div.yiv1956000891WordSection1 {}#yiv1956000891 From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Ofpgb205 Sent: Wednesday, 20 July 2016 5:28 AM To: Sumit Bose Cc: Freeipa-users Subject: Re: [Freeipa-users] Unable to ssh after establishing trust ? well...I'm not sure what I changed, if anything, but I am able to login with my AD credentials. I have restarted ipa server and cleared sss_cache, so maybe that helped. ? A few other things still remain though: ? right now im logging in asjsmith at ADDOMAIN.LOCAL I would want it to be eitherjsmith at ADDOMAIN.COM or better yet jsmith ?--without specifying the domain name. ? How can this be accomplished? ? [Lachlan Simpson] ? ? You are looking for the default_domain_suffix setting in the sssd stanza of /etc/sssd/sssd.conf ? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-user-ids.html ? CheersL. ? ? ? thanks ? From: Sumit Bose To: pgb205 Cc: Freeipa-users Sent: Tuesday, July 19, 2016 3:33 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust On Mon, Jul 18, 2016 at 09:21:07PM +0000, pgb205 wrote: > Sumit, > > I have set the names of all the Domain Controllers to be resolvable to the IP > of the one reachable Domain Controller in /etc/hosts > > /etc/hosts: > Reachable_IP_BOX? 172.10.10.1 > DC1? ? ? ? ? ? ? ? ? ? ? ? ? ? 172.10.10.1 > DC2? ? ? ? ? ? ? ? ? ? ? ? ? ? 172.10.10.1 > ... > ... The IP address should come first, please see man hosts for details. > > However, I still see the following > Marking SRV lookup of service 'gc_addomain.local' as 'neutral' > Marking server dc1.addomain.local' as 'name not resolved' Have you tried to add the fully-qualified names (dc1.addomain.local) in the right format (see above) to /etc/hosts? > > > Additionally I have configured > [domain/ipa.internal] >? ? ? with > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > > As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be > the old hostname of the IPA KDC. > After much troubleshooting I believe I got this fixed by deleting? extra > folders in > /var/named/dyndb-ldap/ipa/master > Right now the only two folders are ipa.internal and .in-addr.arpa. > I think this is what helped with this issue. but can you please confirm if it > sounds reasonable. Not sure how you got the additional directories but if on only have a single IPA DNS domain the two directories are sufficient. bye, Sumit > > > Ssh is still failing, possibly due to the problem 1 above. Is there anything > else I can do to force ipa to pay attention to the /etc/hosts ? > Or is this some other issue? > > thanks > ??????????????????????????????????????????????????????????????????????????????? > From: Sumit Bose > To: pgb205 > Cc: Sumit Bose ; Freeipa-users > Sent: Wednesday, July 13, 2016 5:43 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > > +freeipa-users list > > > >? ? ? From: pgb205 > >? To: Sumit Bose > >? Sent: Tuesday, July 12, 2016 2:12 PM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > >? > > Sumit, thanks for replying > > So the first issue is my fault, probably from when I was sanitizing logs. > > our active directory domain is ad_domain.local, but users would expect to > login as userid at ad_domain.com or just userid.for ipa the kerberos realm is > IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > > ewr-fipa_server used to be old trial server so I am not sure why it's still > in the dns lookup results. I'll check this part further. > > Lastly. only the connection to one of the domain controllers on AD side is > open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, > a connection to this single, accessible domain controller. Are there any other > files where I would needto lock down the connections between ipa->ad so that > all traffic goes to specific active directory domain controller? > > thanks again for replying so quickly. > > Currently it is not possible to specify individual AD DC SSSD on the IPA > server should talk to. We have ticket > https://fedorahosted.org/sssd/ticket/2599to make this possible in some > later versions of SSSD. > > Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to > get a list of AD DC, then picks one to get the next nearest site for the > IPA domain and finally tries to lookup a DC from the matching site (if > any). > > According to your logs SSSD was able to find 18 DCs with the SRV lookup. > A call like > >? ? dig SRV _ldap._tcp.ad_domain.local > > on the IPA server should return the same list of 18 DCs. > > As a work-around, or better a hack, you might want to try to set the IP > address of all the 18 DC returned to the IP address of the only > accessible DC in /etc/hosts. This way SSSD should have no chance to > connect to a different DC. > > bye, > > Sumit > > > > >? ? ? From: Sumit Bose > >? To: pgb205 > > Cc: Sumit Bose > >? Sent: Tuesday, July 12, 2016 5:37 AM > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > > Sumit, > > > sssd log files attached with debug=10 in all sections.I have attempted > several logins for comparison as well as kinit commands > > > > I came across two issues in the logs. > > > > First it looks like you use 'user at AD_DOMAIN.LOCAL' at the login prompt > > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > > AD side and user principal attributes 'user at AD_DOMAIN.COM'. Currently > > FreeIPA cannot resolve those principals correctly. It was planned for > > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > > please try to work-around suggested at the end of > > http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to > > authenticate with user at AD_DOMAIN.COM SSSD looks for a server called > > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > > for "Cannot contact any KDC for requested realm". > > > > Second there are some issues access AD DCs via LDAP. SSSD tries to > > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > > both fails. It is not clear from the logs if already the DNS lookup for > > those fails or if the connection itself runs into a timeout. In the > > former case you should make sure that the names can be resolved in the > > IPA server in the latter you can try to increase ldap_network_timeout > > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > > switches the AD domains to offline. The authentication request is > > handled offline as well but since there are no cached credentials you > > get the permission denied error. > > > > HTH > > > > bye, > > Sumit > > > > > > > >? ? ? From: Sumit Bose > > >? To: pgb205 > > > Cc: "Freeipa-users at redhat.com" > > >? Sent: Monday, July 11, 2016 3:06 AM > > >? Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > >? > > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > > I have successfully established trust and am able to obtain ticket > granting ticketkinit user at AD_DOMAIN.COMI can also do kinit > admin at IPA_DOMAIN.COMssh admin at IPA_DOMAIN.COM also works > > > > however, ssh user at AD_DOMAIN.COM oruser at ad_domain.com fails > > > > I have checked that there are no hbac rules other then the default > allow_all rule > > > > in sssd_ssh.log see > > > > permission denied (6) error in sssd_ipa.domain.log file I see > > > > pam_handler_callback 6 permission_denied > > > > in sssd_nss.log Unable to get information from Data ProviderError: 3 > Account info lookup failedWill try to return what we have in cache > > > > in /var/log/secure received for user user at AD_DOMAIN.COM: 6 (Permission > denied) > > > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > > > ----------Additionally, I would like to be able to login as user not > user at AD_DOMAIN.COM > > > > My understanding that only thing that I have to change to make this > happen is /etc/krb5.conffor line > > > > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa > services. > > > > > > No, please do not change the default_realm. This is not related to the > > > issues you are seeing. > > > > > > bye, > > > Sumit > > > > > > > However, when I do this I get failure to restart Samba service > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > >? > > > > > > ? This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you.If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.hurrelmann at lobster.de Wed Jul 20 15:09:31 2016 From: patrick.hurrelmann at lobster.de (Patrick Hurrelmann) Date: Wed, 20 Jul 2016 17:09:31 +0200 Subject: [Freeipa-users] RPM Update fails on some replicas in ipa-server-upgrade Message-ID: <9c3614d6-255a-dda1-8f77-5946da2fc859@lobster.de> Hi all, today I updated all of our IPA servers (CentOS 7.2) with some minor RPM updates, but one of the replicas failed with: RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API', domain='ipa', localedir=None) Log excerpt (ipaupgrade.log) from this host: (Also available as https://paste.fedoraproject.org/392759/90042561/) 2016-07-20T08:39:10Z INFO [Migrating certificate profiles to LDAP] 2016-07-20T08:39:10Z DEBUG Created connection context.ldap2_79620048 2016-07-20T08:39:10Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache 2016-07-20T08:39:10Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn= 2016-07-20T08:39:10Z DEBUG Destroyed connection context.ldap2_79620048 2016-07-20T08:39:10Z DEBUG request GET https://ipa1.loc1.example.com:8443/ca/rest/account/login 2016-07-20T08:39:10Z DEBUG request body '' 2016-07-20T08:39:10Z DEBUG NSSConnection init ipa1.loc1.example.com 2016-07-20T08:39:11Z DEBUG Connecting: 1.2.3.210:0 2016-07-20T08:39:11Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2016-07-20T08:39:11Z DEBUG cert valid True for "CN=ipa1.loc1.example.com,O=Example Org,OU=CA,L=City,ST=State,C=DE" 2016-07-20T08:39:11Z DEBUG handshake complete, peer = 1.2.3.210:8443 2016-07-20T08:39:11Z DEBUG Protocol: TLS1.2 2016-07-20T08:39:11Z DEBUG Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 2016-07-20T08:39:11Z DEBUG response status 401 2016-07-20T08:39:11Z DEBUG response headers {'content-length': '951', 'content-language': 'en', 'expires': 'Thu, 01 Jan 1970 01:00:00 CET', 'server': 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 20 Jul 2016 08:39:11 GMT', 'content-type': 'text/html;charset=utf-8', 'www-authenticate': 'Basic realm="Certificate Authority"'} 2016-07-20T08:39:11Z DEBUG response body 'Apache Tomcat/7.0.54 - Error report

HTTP Status 401 -

type Status report

message

description This request requires HTTP authentication.

Apache Tomcat/7.0.54

' 2016-07-20T08:39:11Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-07-20T08:39:11Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1618, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1548, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 341, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap(caconfig) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1868, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1874, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 2038, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2016-07-20T08:39:11Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API', domain='ipa', localedir=None) 2016-07-20T08:39:11Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API', domain='ipa', localedir=None) And with further help from mbaste on IRC, I found the following error in ca debug log: (Also available as https://paste.fedoraproject.org/392897/02195914/) [20/Jul/2016:10:39:04][profileChangeMonitor]: BasicProfile: done init [20/Jul/2016:10:39:04][profileChangeMonitor]: Done Profile Creation - IECUserRoles [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: PKIRealm.logDebug: Authenticating certificate chain: [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=Example Org, OU =CA, L=City, ST=State, C=DE [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: PKIRealm.logDebug: CN=IPA RA, O=Example Org, OU=CA, L=City, ST=State, C=DE [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: CertUserDBAuth: started [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: CertUserDBAuth: Retrieving client certificate [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: CertUserDBAuth: Got client certificate [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: In LdapBoundConnFactory::getConn() [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: masterConn is connected: false [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: makeConnection: errorIfDown true [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: SSL handshake happened [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Established LDAP connection with SSL client auth to ipa1.loc1.example.com:636 [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: getConn: conn is connected false [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Attempt to bring back down connection. [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Re-animated connection: LDAPConnection {ldaps://ipa1.loc1.example.com:636 (2) ldapVersion:3 bindDN:""} [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: getConn: mNumConns now 2 [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: returnConn: mNumConns now 3 [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Authentication: client certificate found [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: In LdapBoundConnFactory::getConn() [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: masterConn is connected: false [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: makeConnection: errorIfDown true [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: SSL handshake happened [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Established LDAP connection with SSL client auth to ipa1.loc1.example.com:636 [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: getConn: conn is connected false [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Attempt to bring back down connection. [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: Re-animated connection: LDAPConnection {ldaps://ipa1.loc1.example.com:636 (2) ldapVersion:3 bindDN:""} [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: getConn: mNumConns now 2 [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: returnConn: mNumConns now 3 [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: CertUserDBAuthentication: cannot map certificate to any user [20/Jul/2016:10:39:11][http-bio-8443-exec-4]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=CN=IPA RA, O=Example Org, OU=CA, L=City, ST=State, C=DE][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA, O=Example Org, OU=CA, L=City, ST=State, C=DE] authentication failure I'm totally lost with this and cannot explain, why some replicas successfully updated and some failed. Does anyone have some ideas for further debugging and/or maybe even some solution or pointers to fix? Thank you very much. Kind regards Patrick -- Lobster SCM GmbH, Hindenburgstra?e 15, D-82343 P?cking HRB 178831, Amtsgericht M?nchen Gesch?ftsf?hrer: Dr. Martin Fischer, Rolf Henrich From jan.karasek at elostech.cz Wed Jul 20 15:30:38 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Wed, 20 Jul 2016 17:30:38 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <41e4334c-531f-0074-cc78-33668d319676@redhat.com> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> Message-ID: <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> Hi, thank you. ldapsearch reply: search: 2 result: 32 No such object matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=RpcServices,CN=System,DC=rwe,DC=tt' actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. Do I missed to set something on the AD site ? Thanks, Jan From: "Justin Stephenson" To: "Jan Kar?sek" Cc: freeipa-users at redhat.com Sent: Wednesday, July 20, 2016 4:09:02 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes These attributes should be available from port 389 and not the global catalog, please try a command such as: ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber Replacing the root suffix in the search base, the ip-address and bind credentials. Kind regards, Justin Stephenson On 07/20/2016 08:15 AM, Jan Kar?sek wrote: Hi, thank you for the hint. In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. If I understand it right, it is base uid number and the number of uids in range. If not discovered nor given via CLI, then it generate random base and add some default_range_size. So these two attributes must be set to use ipa-ad-trust-posix range ? Could anybody help me how and where to check these attributes ? I have looked in the ldapsearch dump from my AD(Global calaog) and I can see these attributes only in schema - so no values assigned. I'm using W2012 R2. Thank you, Jan From: "Justin Stephenson" To: "Jan Kar?sek" , freeipa-users at redhat.com Sent: Tuesday, July 19, 2016 8:36:00 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes Hello, When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. Kind regards, Justin Stephenson On 07/19/2016 09:44 AM, Jan Kar?sek wrote: BQ_BEGIN Hi, I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. There is almost no documentation about this topic so I don't know what else I can try ... Thanks for help, Jan Date: Tue, 21 Jun 2016 21:38:15 +0200 From: Jakub Hrozek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD trust with POSIX attributes Message-ID: <20160621193815.GS29512 at hendrix> Content-Type: text/plain; charset=iso-8859-1 On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. > > I have set up trust with this parameters: > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator Did you add the POSIX attributes to AD after creating the trust maybe? > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 1392000000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > > I have set attributes in AD for user at EXAMPLE.TT > - uidNumber -10000 > - homeDirectory -/home/user > - loginShell - /bin/bash > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. > > Problem is, that I am not getting uid from AD but from idrange: > > uid=1392001107( user at example.tt ) > > Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. This has no effect, in IPA-AD trust scenario, the id mapping properties are managed on the server. > > I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. I think idviews are better for overriding POSIX attributes for a specific set of hosts, but in your environment, it sounds like you want to use the POSIX attributes across the board. > > So my questions are: > > Is it possible to read user's POSIX attributes directly from AD - namely uid ? Yes > Which atributes can be stored in AD ? Homedir is a bit special, for backwards compatibility the subdomains_homedir takes precedence. The others should be read from AD. I don't have the environment set at the moment, though, so I'm operating purely from memory. > Am I doing something wrong ? > > my sssd.conf: > [domain/a.example.tt] > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #ldap_id_mapping = true > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = a.example.tt > [nss] > debug_level = 5 > homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > debug_level = 5 > [sudo] > > [autofs] > > [ssh] > debug_level = 4 > [pac] > > debug_level = 4 > [ifp] > > Thanks, > Jan BQ_END -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jul 20 16:06:29 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Jul 2016 19:06:29 +0300 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> Message-ID: <20160720160629.bietw7md672bm22c@redhat.com> On Wed, 20 Jul 2016, Jan Kar?sek wrote: >Hi, > >thank you. > >ldapsearch reply: > >search: 2 >result: 32 No such object >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best >match of: >'CN=RpcServices,CN=System,DC=rwe,DC=tt' > >actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. > >Do I missed to set something on the AD site ? Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft removed IDMU tools. The LDAP schema will stay but there will be no means to visually edit POSIX attributes. https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ > >Thanks, >Jan > > > > > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" >Cc: freeipa-users at redhat.com >Sent: Wednesday, July 20, 2016 4:09:02 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > >These attributes should be available from port 389 and not the global catalog, please try a command such as: > >ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber > >Replacing the root suffix in the search base, the ip-address and bind credentials. > >Kind regards, >Justin Stephenson > >On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > > > >Hi, > >thank you for the hint. > >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > >If I understand it right, it is base uid number and the number of uids in range. > >If not discovered nor given via CLI, then it generate random base and add some default_range_size. > >So these two attributes must be set to use ipa-ad-trust-posix range ? > >Could anybody help me how and where to check these attributes ? I have looked in the ldapsearch dump from my AD(Global calaog) and I can see these attributes only in schema - so no values assigned. >I'm using W2012 R2. > >Thank you, >Jan > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" , freeipa-users at redhat.com >Sent: Tuesday, July 19, 2016 8:36:00 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > >Hello, > >When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. > >You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > >I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. > >Kind regards, >Justin Stephenson > >On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > >BQ_BEGIN > >Hi, > >I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? > >I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. > >What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > >Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. > >There is almost no documentation about this topic so I don't know what else I can try ... > >Thanks for help, > >Jan > > > >Date: Tue, 21 Jun 2016 21:38:15 +0200 >From: Jakub Hrozek >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] AD trust with POSIX attributes >Message-ID: <20160621193815.GS29512 at hendrix> >Content-Type: text/plain; charset=iso-8859-1 > >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: >> Hi all, >> >> I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. >> >> I have set up trust with this parameters: >> >> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator > >Did you add the POSIX attributes to AD after creating the trust maybe? > >> >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range >> Range name: EXAMPLE.TT_id_range >> First Posix ID of the range: 1392000000 >> Number of IDs in the range: 200000 >> Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 >> Range type: Active Directory trust range with POSIX attributes >> >> >> I have set attributes in AD for user at EXAMPLE.TT >> - uidNumber -10000 >> - homeDirectory -/home/user >> - loginShell - /bin/bash >> >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. >> >> Problem is, that I am not getting uid from AD but from idrange: >> >> uid=1392001107( user at example.tt ) >> >> Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. > >This has no effect, in IPA-AD trust scenario, the id mapping properties >are managed on the server. > >> >> I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. > >I think idviews are better for overriding POSIX attributes for a >specific set of hosts, but in your environment, it sounds like you want >to use the POSIX attributes across the board. > >> >> So my questions are: >> >> Is it possible to read user's POSIX attributes directly from AD - namely uid ? > >Yes > >> Which atributes can be stored in AD ? > >Homedir is a bit special, for backwards compatibility the >subdomains_homedir takes precedence. The others should be read from AD. > >I don't have the environment set at the moment, though, so I'm operating >purely from memory. > >> Am I doing something wrong ? >> >> my sssd.conf: >> [domain/a.example.tt] >> debug_level = 5 >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = a.example.tt >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = ipa1.a.example.tt >> chpass_provider = ipa >> ipa_server = ipa1.a.example.tt >> ipa_server_mode = True >> ldap_tls_cacert = /etc/ipa/ca.crt >> #ldap_id_mapping = true >> #subdomain_inherit = ldap_user_principal >> #ldap_user_principal = nosuchattribute >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = a.example.tt >> [nss] >> debug_level = 5 >> homedir_substring = /home >> enum_cache_timeout = 2 >> entry_negative_timeout = 2 >> >> >> [pam] >> debug_level = 5 >> [sudo] >> >> [autofs] >> >> [ssh] >> debug_level = 4 >> [pac] >> >> debug_level = 4 >> [ifp] >> >> Thanks, >> Jan > > > > > > > > > > > > >BQ_END > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jul 20 16:13:06 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Jul 2016 19:13:06 +0300 Subject: [Freeipa-users] FreeIPA SSL certificates installed to multiple hosts In-Reply-To: <578E8DA8.5030501@redhat.com> References: <578E8DA8.5030501@redhat.com> Message-ID: <20160720161306.fk2uo626tnz4x3yr@redhat.com> On Tue, 19 Jul 2016, Rob Crittenden wrote: >Jeremy Utley wrote: >>Hello all! >> >>We're looking at replacing a lot of our currently self-signed internal >>SSL certificates in our infrastructure with certificates generated by >>the FreeIPA CA. However, I've run into something that I haven't been >>able to find documented as of yet, and I'm hoping some of you can point >>me in the right direction. Some of our internal SSL sites are >>load-balanced between multiple hosts, so we end up with the same SSL/Key >>installed to each host. For example: >> >>hostname.domain.com is hosted on hostA and >>hostB. >> >>Both hostA and hostB have the certs at >>/etc/httpd/certs/hostname.domain.com/hostname.crt >>, and the private key at >>/etc/httpd/certs/hostname.domain.com/hostname.key >> >> >>I would expect I can have both hostA and hostB be able to work with the >>FreeIPA certificates by adding additional ipa host-add-managedby and ipa >>service-add-host commands, to specify both hostA and hostB. However, >>from my understanding, running the "ipa-getcert request" command on >>hostA will put the certs on hostA only, and I'd need the same certs on >>both hostA and hostB. Is there a special ipa-getcert incantation that >>can retrieve the already-issued certificate files, and allow them to be >>managed by FreeIPA on both hosts? Or is there another recommended way >>of doing this? >> >>Thanks for any info you can give me! >> > >IPA doesn't have any provision for sharing keys between machines. I >think you'd need to manage it similar to the way you probably do now: >manually copying files around. > >What you can do is setup one machine to "own" the certs and keys and >do the renewals via certmonger, but beyond that you're on your own. In FreeIPA 4.4.x we provide (and use for own needs) Custodia[1] which can be used to store and retrieve a commonly accessed secrets. It would be interesting to extend certmonger to be able to retrieve a certificate material stored in Custodia. A post-retrieval script could be added to push the certificate material to Custodia on a master. [1] https://github.com/latchset/custodia -- / Alexander Bokovoy From rbinder at wooplagaming.com Wed Jul 20 17:23:55 2016 From: rbinder at wooplagaming.com (Rubin Binder) Date: Wed, 20 Jul 2016 14:23:55 -0300 (ADT) Subject: [Freeipa-users] FreeIPA Client Install 403 error In-Reply-To: <813586359.1528.1469034728979.JavaMail.rbinder@ASUS-RB> Message-ID: <814962216.1539.1469035428066.JavaMail.rbinder@ASUS-RB> Hello all, I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... I get the following: Client hostname: centostest.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: ldap.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin at MYDOMAIN.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN.COM Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Valid From: Wed Jul 13 13:12:08 2016 UTC Valid Until: Sun Jul 13 13:12:08 2036 UTC Joining realm failed: HTTP response code is 403, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. I can't make sense of why I'd be seeing a 403 error. I've done my share of searching but have not found a similar issue. Some have report 401 errors in some circumstances, but not 403. Has anyone seen this before. Thanks, Rubin From linov.suresh at gmail.com Wed Jul 20 17:32:57 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Wed, 20 Jul 2016 13:32:57 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <578F85E2.7010704@redhat.com> References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> Message-ID: Thanks for your help Rob, I will create a separate thread for IPA replication issue. But we are still getting *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ".* Could you please help us to fix this? On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden wrote: > Glad you got the certificates successfully renewed. > > Can you open a new e-mail thread on this new problem so we can keep the > issues separated? > > IPA gets little information back when dogtag fails to install. You need to > look in /var/log//debug for more information. The exact location > depends on the version of IPA. > > rob > > Linov Suresh wrote: > >> Great! That worked, and I was successfully renewed the certificates on >> the IPA server and I was trying to create a IPA replica server and got >> an error,[root at neit-lab ~]# ipa-replica-install >> --setup-ca --setup-dns --no-forwarders --skip-conncheck >> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager >> (existing master) password: Configuring NTP daemon (ntpd) [1/4]: >> stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to >> start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). >> Configuring directory server for the CA (pkids): Estimated time 30 >> seconds [1/3]: creating directory server user [2/3]: creating directory >> server instance [3/3]: restarting directory server Done configuring >> directory server for the CA (pkids). Configuring certificate server >> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating >> certificate server user [2/17]: creating pki-ca instance [3/17]: >> configuring certificate server instance ipa : CRITICAL failed to >> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent >> ConfigureCA -cs_hostname neit-lab.teloip.net >> -cs_port 9445 -client_certdb_dir >> /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin >> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email >> root at localhost -admin_password XXXXXXXX >> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET >> -ldap_host neit-lab.teloip.net -ldap_port >> 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn >> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm >> SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name >> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA >> Subsystem,O=TELOIP.NET >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET >> -ca_ocsp_cert_subject_name CN=OCSP >> Subsystem,O=TELOIP.NET -ca_server_cert_subject_name >> CN=neit-lab.teloip.net ,O=TELOIP.NET >> -ca_audit_signing_cert_subject_name CN=CA >> Audit,O=TELOIP.NET -ca_sign_cert_subject_name >> CN=Certificate Authority,O=TELOIP.NET -external >> false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX >> -sd_hostname caer.teloip.net -sd_admin_port 443 >> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true >> -clone_uri https://caer.teloip.net:443' >> returned non-zero exit status 255 Your >> system may be partly configured. Run /usr/sbin/ipa-server-install >> --uninstall to clean up. Configuration of CA failed [root at neit-lab >> ~]# >> >> I did a clean up using /usr/sbin/ipa-server-install --uninstall but it >> wasn't helpful.Wondering if you can help us on this, >> >> >> >> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > > wrote: >> >> Linov Suresh wrote: >> >> I have followed Redhat official documentation, >> https://access.redhat.com/solutions/643753 for certificate >> renewal, >> which says *add: usercertificate. (step 12)* >> * >> * >> While on the other hand FreeIPA official documentaion >> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to >> *add: >> usercertificate;binary* >> >> Just wondering if we need to*add *the certificate? or*replace* the >> existing certificate and which format do we need to use? *pem* >> or *der*. >> >> We already successfully renewed the certificates about months >> back, but >> they were expired about 6 months back and we were not able to >> renew till >> now, and is affected our production environment. >> >> Pleas help us. >> >> >> You shouldn't have to mess with these values at all. In 3.0 this is >> handled somewhat automatically. >> >> I'd restart the CA, then certmonger and see if the communication >> error goes away for the CA subservice certificates (the internal >> error). >> >> # service pki-cad restart >> >> # service certmonger restart >> >> I find it very strange that the certificates were set to expire >> yesterday but it isn't a show-stopper necessarily assuming you can >> get the CA back up. >> >> Assuming you can, then go back in time again, this time just a few >> days and try renewing the LDAP and Apache server certs again. >> >> rob >> >> >> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh >> >> >> >> wrote: >> >> We have cloned and created another virtual server from the >> template. >> Surprisingly this server certificates were also expired at >> the same >> time as the previous, just lasted for a day. >> This issue has something to do with the kerberos tickets? >> >> I am new to IPA and your help is highly appreciated. >> >> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh >> >> >> >> wrote: >> >> *Update: my webserver and LDAP certificates were expired >> at >> 2016-07-18 15:54:36 UTC and the certificates are in >> CA_UNREACHABLE state.* >> * >> * >> *Could you please help us? >> * >> >> [root at caer tmp]# getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20111214223243': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: >> -504 >> (libcurl failed to execute the HTTP POST transaction. >> Peer >> certificate cannot be authenticated with known CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> >> *expires: 2016-07-18 15:54:36 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223300': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: >> -504 >> (libcurl failed to execute the HTTP POST transaction. >> Peer >> certificate cannot be authenticated with known CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> >> *expires: 2016-07-18 15:54:52 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223316': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: >> -504 >> (libcurl failed to execute the HTTP POST transaction. >> Peer >> certificate cannot be authenticated with known CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> >> *expires: 2016-07-18 15:55:04 UTC* >> >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130519130741': >> status: MONITORING >> ca-error: Internal error: no response to >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=CA Audit,O=TELOIP.NET >> >> expires: 2017-10-13 14:10:49 UTC >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130742': >> status: MONITORING >> ca-error: Internal error: no response to >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=OCSP Subsystem,O=TELOIP.NET >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-OCSPSigning >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130743': >> status: MONITORING >> ca-error: Internal error: no response to >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=CA Subsystem,O=TELOIP.NET >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130744': >> status: MONITORING >> ca-error: Internal error: no response to >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=RA Subsystem,O=TELOIP.NET >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130519130745': >> status: MONITORING >> ca-error: Internal error: no response to >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB',pin='297100916664' >> certificate: >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> ,O=TELOIP.NET >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET >> >> " >> track: yes >> auto-renew: yes >> >> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh >> >> >> >> wrote: >> >> Yes, PKI is running and I don't see any errors in >> selftests, >> I have followed >> https://access.redhat.com/solutions/643753 >> and restarted the PKI in step 10. >> >> The only change which I made was clean >> up userCertificate;binary before adding new >> userCertificatein LDAP, which is step 12. >> >> >> [root at caer ~]# /etc/init.d/pki-cad status >> pki-ca (pid 8634) is running... >> [ >> OK ] >> Unsecure Port = >> http://caer.teloip.net:9180/ca/ee/ca >> Secure Agent Port = >> https://caer.teloip.net:9443/ca/agent/ca >> Secure EE Port = >> https://caer.teloip.net:9444/ca/ee/ca >> Secure Admin Port = >> https://caer.teloip.net:9445/ca/services >> EE Client Auth Port = >> https://caer.teloip.net:9446/ca/eeca/ca >> PKI Console Port = pkiconsole >> https://caer.teloip.net:9445/ca >> Tomcat Port = 9701 (for shutdown) >> >> PKI Instance Name: pki-ca >> >> PKI Subsystem Type: Root CA (Security Domain) >> >> Registered PKI Security Domain Information: >> >> >> >> ========================================================================== >> Name: IPA >> URL: https://caer.teloip.net:9445 >> >> >> >> ========================================================================== >> [root at caer ~]# >> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading all self test plugin >> logger >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading all self test plugin >> instances >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading all self test plugin >> instance >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading self test plugins in >> on-demand order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: loading self test plugins in >> startup order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] >> SelfTestSubsystem: Self test plugins have been >> successfully >> loaded! >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> SelfTestSubsystem: Running self test plugins >> specified to be >> executed at startup: >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> CAPresence: >> CA is present >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> SystemCertsVerification: system certs verification >> success >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] >> SelfTestSubsystem: All CRITICAL self test plugins ran >> SUCCESSFULLY at startup! >> >> Your help is highly appreciated! >> >> Linov Suresh >> >> 70 Forest Manor Rd. >> Toronto >> ON M2J 0A9 >> Mobile: +1 647 406 9438 >> >> Linkedin: ca.linkedin.com/in/linov/ >> >> >> Website: http://mylinuxthoughts.blogspot.com >> >> >> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik >> >> >> wrote: >> >> On 07/18/2016 05:45 AM, Linov Suresh wrote: >> > Thanks for the update Rob. I went back to Jan >> 20, 2016, restarted CA and >> > certmonger. Look like certificates were >> renewed. But I'm getting a different >> > error now, >> > >> > *ca-error: Internal error: no response to >> > >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> >> Is PKI running? When you change the time, does >> restart >> of IPA help? >> >> > >> > [root at caer ~]# getcert list >> > Number of certificates and requests being >> tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> > subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> > >> > expires: 2016-07-18 15:54:36 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> > subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> > >> > expires: 2016-07-18 15:54:52 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> > subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> > >> > expires: 2016-07-18 15:55:04 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: MONITORING >> > ca-error: Internal error: no response >> to >> > >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> > certificate: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> > subject: CN=CA Audit,O=TELOIP.NET >> >> >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: MONITORING >> > ca-error: Internal error: no response >> to >> > >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> > certificate: >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> > subject: CN=OCSP >> Subsystem,O=TELOIP.NET >> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jstephen at redhat.com Wed Jul 20 17:49:16 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Wed, 20 Jul 2016 13:49:16 -0400 Subject: [Freeipa-users] FreeIPA Client Install 403 error In-Reply-To: <814962216.1539.1469035428066.JavaMail.rbinder@ASUS-RB> References: <814962216.1539.1469035428066.JavaMail.rbinder@ASUS-RB> Message-ID: <8c9bdd69-c3ea-9b11-d3c3-030c07601744@redhat.com> Could you please share with us the /var/log/ipaclient-install.log ? Kind regards, Justin Stephenson On 07/20/2016 01:23 PM, Rubin Binder wrote: > Hello all, > > I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. > > The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... I get the following: > > Client hostname: centostest.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: ldap.mydomain.com > BaseDN: dc=mydomain,dc=com > > Continue to configure the system with these values? [no]: yes > Skipping synchronizing time with NTP server. > User authorized to enroll computers: admin > Password for admin at MYDOMAIN.COM: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > Valid From: Wed Jul 13 13:12:08 2016 UTC > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > Joining realm failed: HTTP response code is 403, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > I can't make sense of why I'd be seeing a 403 error. I've done my share of searching but have not found a similar issue. Some have report 401 errors in some circumstances, but not 403. > > Has anyone seen this before. > > Thanks, > Rubin > From linov.suresh at gmail.com Wed Jul 20 17:50:49 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Wed, 20 Jul 2016 13:50:49 -0400 Subject: [Freeipa-users] IPA Replication failed: Your system may be partly configured. Run ipa-server-install --uninstall to clean up. Configuration of CA failed Message-ID: I was trying to replicate our IPA server which is running on CentOS6.4, FreeIPA 3.0 and I got an error, *Your system may be partly configured.* *Run /usr/sbin/ipa-server-install --uninstall to clean up.* *Configuration of CA failed* I ran /usr/sbin/ipa-server-install --uninstall couple of times before installing the replica, but was unsuccessful in creating the replica server, [root at neit-lab ~]#* ipa-replica-install --setup-ca --setup-dns --no-forwarders --skip-conncheck /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg* Directory Manager (existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname neit-lab.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host neit-lab.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_subsystem_cert_subject_name CN=CA Subsystem,O= TELOIP.NET -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET -ca_server_cert_subject_name CN= neit-lab.teloip.net,O=TELOIP.NET -ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET -ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://caer.teloip.net:443 ' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed [root at neit-lab ~]# Could you please help me? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 20 18:22:40 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2016 14:22:40 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> Message-ID: <578FC170.20405@redhat.com> Linov Suresh wrote: > Thanks for your help Rob, I will create a separate thread for IPA > replication issue. But we are still getting > * > * > *ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".* > > Could you please help us to fix this? I think your CA isn't quite fixed yet. I'd restart pki-cad then do something like: ipa cert-show 1 You should get back a cert (doesn't really matter what cert). Otherwise I'd check the CA debug log somewhere in /var/log/pki rob > > > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > wrote: > > Glad you got the certificates successfully renewed. > > Can you open a new e-mail thread on this new problem so we can keep > the issues separated? > > IPA gets little information back when dogtag fails to install. You > need to look in /var/log//debug for more information. The > exact location depends on the version of IPA. > > rob > > Linov Suresh wrote: > > Great! That worked, and I was successfully renewed the > certificates on > the IPA server and I was trying to create a IPA replica server > and got > an error,[root at neit-lab >~]# ipa-replica-install > --setup-ca --setup-dns --no-forwarders --skip-conncheck > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager > (existing master) password: Configuring NTP daemon (ntpd) [1/4]: > stopping ntpd [2/4]: writing configuration [3/4]: configuring > ntpd to > start on boot [4/4]: starting ntpd Done configuring NTP daemon > (ntpd). > Configuring directory server for the CA (pkids): Estimated time 30 > seconds [1/3]: creating directory server user [2/3]: creating > directory > server instance [3/3]: restarting directory server Done configuring > directory server for the CA (pkids). Configuring certificate server > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating > certificate server user [2/17]: creating pki-ca instance [3/17]: > configuring certificate server instance ipa : CRITICAL failed to > configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent > ConfigureCA -cs_hostname neit-lab.teloip.net > > -cs_port 9445 -client_certdb_dir > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email > root at localhost >-admin_password XXXXXXXX > -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET > > -ldap_host neit-lab.teloip.net > -ldap_port > 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name > pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA > Subsystem,O=TELOIP.NET > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET > > -ca_ocsp_cert_subject_name CN=OCSP > Subsystem,O=TELOIP.NET > -ca_server_cert_subject_name > CN=neit-lab.teloip.net > ,O=TELOIP.NET > -ca_audit_signing_cert_subject_name CN=CA > Audit,O=TELOIP.NET > -ca_sign_cert_subject_name > CN=Certificate Authority,O=TELOIP.NET > -external > false -clone true -clone_p12_file ca.p12 -clone_p12_password > XXXXXXXX > -sd_hostname caer.teloip.net > -sd_admin_port 443 > -sd_admin_name admin -sd_admin_password XXXXXXXX > -clone_start_tls true > -clone_uri https://caer.teloip.net:443' > returned non-zero exit status 255 > Your > system may be partly configured. Run /usr/sbin/ipa-server-install > --uninstall to clean up. Configuration of CA failed [root at neit-lab > >~]# > > I did a clean up using /usr/sbin/ipa-server-install --uninstall > but it > wasn't helpful.Wondering if you can help us on this, > > > > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > > >> wrote: > > Linov Suresh wrote: > > I have followed Redhat official documentation, > https://access.redhat.com/solutions/643753 for certificate renewal, > which says *add: usercertificate. (step 12)* > * > * > While on the other hand FreeIPA official documentaion > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to > *add: > usercertificate;binary* > > Just wondering if we need to*add *the certificate? > or*replace* the > existing certificate and which format do we need to > use? *pem* > or *der*. > > We already successfully renewed the certificates about > months > back, but > they were expired about 6 months back and we were not > able to > renew till > now, and is affected our production environment. > > Pleas help us. > > > You shouldn't have to mess with these values at all. In 3.0 > this is > handled somewhat automatically. > > I'd restart the CA, then certmonger and see if the > communication > error goes away for the CA subservice certificates (the > internal error). > > # service pki-cad restart > > # service certmonger restart > > I find it very strange that the certificates were set to expire > yesterday but it isn't a show-stopper necessarily assuming > you can > get the CA back up. > > Assuming you can, then go back in time again, this time > just a few > days and try renewing the LDAP and Apache server certs again. > > rob > > > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > > > > >>> > wrote: > > We have cloned and created another virtual server > from the > template. > Surprisingly this server certificates were also > expired at > the same > time as the previous, just lasted for a day. > This issue has something to do with the kerberos > tickets? > > I am new to IPA and your help is highly appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh > > > >>> > wrote: > > *Update: my webserver and LDAP certificates > were expired at > 2016-07-18 15:54:36 UTC and the certificates > are in > CA_UNREACHABLE state.* > * > * > *Could you please help us? > * > > [root at caer tmp]# getcert list > Number of certificates and requests being > tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > *expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > *expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > *expires: 2016-07-18 15:55:04 UTC* > > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: no > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=CA Audit,O=TELOIP.NET > > > expires: 2017-10-13 14:10:49 UTC > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: no > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=OCSP > Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: no > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=CA Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=RA Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: no > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB',pin='297100916664' > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > ,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_dirsrv > "TELOIP.NET > > " > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh > > > >>> > wrote: > > Yes, PKI is running and I don't see any > errors in > selftests, > I have followed > https://access.redhat.com/solutions/643753 > and restarted the PKI in step 10. > > The only change which I made was clean > up userCertificate;binary before adding new > userCertificatein LDAP, which is step 12. > > > [root at caer ~]# /etc/init.d/pki-cad status > pki-ca (pid 8634) is running... > [ > OK ] > Unsecure Port = > http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = > https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = > https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = > https://caer.teloip.net:9445/ca/services > EE Client Auth Port = > https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole > https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA > (Security Domain) > > Registered PKI Security Domain > Information: > > > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > > > ========================================================================== > [root at caer ~]# > [root at caer ~]# tail -f > /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self test > plugin logger > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self test > plugin > instances > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self test > plugin > instance > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading self test > plugins in > on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading self test > plugins in > startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: Self test plugins have been > successfully > loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SelfTestSubsystem: Running self test plugins > specified to be > executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > CAPresence: > CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SystemCertsVerification: system certs > verification > success > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SelfTestSubsystem: All CRITICAL self test > plugins ran > SUCCESSFULLY at startup! > > Your help is highly appreciated! > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > > > Linkedin: ca.linkedin.com/in/linov/ > > > > Website: > http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr > Vobornik > > > >>> wrote: > > On 07/18/2016 05:45 AM, Linov Suresh > wrote: > > Thanks for the update Rob. I went > back to Jan > 20, 2016, restarted CA and > > certmonger. Look like certificates were > renewed. But I'm getting a different > > error now, > > > > *ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".* > > Is PKI running? When you change the > time, does > restart > of IPA help? > > > > > [root at caer ~]# getcert list > > Number of certificates and requests > being > tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > subject: > CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > > expires: 2016-07-18 > 15:54:36 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > stuck: no > > key pair storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > subject: > CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > > expires: 2016-07-18 > 15:54:52 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > stuck: no > > key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > subject: > CN=caer.teloip.net > > > ,O=TELOIP.NET > > > > > > expires: 2016-07-18 > 15:55:04 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: MONITORING > > ca-error: Internal error: > no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > subject: CN=CA > Audit,O=TELOIP.NET > > > > expires: 2017-10-13 > 14:10:49 UTC > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: MONITORING > > ca-error: Internal error: > no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > subject: CN=OCSP > Subsystem,O=TELOIP.NET > > > > expires: 2017-10-13 > 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > From rbinder at wooplagaming.com Wed Jul 20 18:28:55 2016 From: rbinder at wooplagaming.com (Rubin Binder) Date: Wed, 20 Jul 2016 15:28:55 -0300 (ADT) Subject: [Freeipa-users] FreeIPA Client Install 403 error In-Reply-To: <8c9bdd69-c3ea-9b11-d3c3-030c07601744@redhat.com> References: <814962216.1539.1469035428066.JavaMail.rbinder@ASUS-RB> <8c9bdd69-c3ea-9b11-d3c3-030c07601744@redhat.com> Message-ID: <951404011.1559.1469039328355.JavaMail.rbinder@ASUS-RB> Justin, Thank you very much for the prompt response. The log output is as follows: 2016-07-20T17:02:52Z DEBUG Starting external process 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 2016-07-20T17:02:52Z DEBUG Process finished, return code=17 2016-07-20T17:02:52Z DEBUG stdout= 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is 403, not 200 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. Regards, Rubin ----- Original Message ----- From: "Justin Stephenson" To: "Rubin Binder" , freeipa-users at redhat.com Sent: Wednesday, July 20, 2016 2:49:16 PM Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error Could you please share with us the /var/log/ipaclient-install.log ? Kind regards, Justin Stephenson On 07/20/2016 01:23 PM, Rubin Binder wrote: > Hello all, > > I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. > > The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install... I get the following: > > Client hostname: centostest.mydomain.com > Realm: MYDOMAIN.COM > DNS Domain: mydomain.com > IPA Server: ldap.mydomain.com > BaseDN: dc=mydomain,dc=com > > Continue to configure the system with these values? [no]: yes > Skipping synchronizing time with NTP server. > User authorized to enroll computers: admin > Password for admin at MYDOMAIN.COM: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > Valid From: Wed Jul 13 13:12:08 2016 UTC > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > Joining realm failed: HTTP response code is 403, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > I can't make sense of why I'd be seeing a 403 error. I've done my share of searching but have not found a similar issue. Some have report 401 errors in some circumstances, but not 403. > > Has anyone seen this before. > > Thanks, > Rubin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jul 20 18:33:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Jul 2016 14:33:36 -0400 Subject: [Freeipa-users] FreeIPA Client Install 403 error In-Reply-To: <951404011.1559.1469039328355.JavaMail.rbinder@ASUS-RB> References: <814962216.1539.1469035428066.JavaMail.rbinder@ASUS-RB> <8c9bdd69-c3ea-9b11-d3c3-030c07601744@redhat.com> <951404011.1559.1469039328355.JavaMail.rbinder@ASUS-RB> Message-ID: <578FC400.8050205@redhat.com> Rubin Binder wrote: > Justin, > > Thank you very much for the prompt response. The log output is as follows: > > 2016-07-20T17:02:52Z DEBUG Starting external process > 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' > 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' > 2016-07-20T17:02:52Z DEBUG Process finished, return code=17 > 2016-07-20T17:02:52Z DEBUG stdout= > 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 > > 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is > 403, not 200 > > 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. > 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. Seeing the entire file is usually more helpful but in this case you did provide a single clue. Return code 17 from ipa-join is a XML-RPC fault. This may be the same 403 as reported elsewhere. I'd suggest looking in /var/log/httpd/error_log on the master. rob > > Regards, > Rubin > > ------------------------------------------------------------------------ > *From: *"Justin Stephenson" > *To: *"Rubin Binder" , freeipa-users at redhat.com > *Sent: *Wednesday, July 20, 2016 2:49:16 PM > *Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error > > Could you please share with us the /var/log/ipaclient-install.log ? > > Kind regards, > > Justin Stephenson > > > On 07/20/2016 01:23 PM, Rubin Binder wrote: > > Hello all, > > > > I am testing Free IPA server for use under a test environment, so far > smooth sailing and have it up and running, no problems. > > > > The problem is occurring during client installation. I have installed > the ipa-client package on a clean CentOS 7 OS. When I execute > ipa-client-install... I get the following: > > > > Client hostname: centostest.mydomain.com > > Realm: MYDOMAIN.COM > > DNS Domain: mydomain.com > > IPA Server: ldap.mydomain.com > > BaseDN: dc=mydomain,dc=com > > > > Continue to configure the system with these values? [no]: yes > > Skipping synchronizing time with NTP server. > > User authorized to enroll computers: admin > > Password for admin at MYDOMAIN.COM: > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > > Valid From: Wed Jul 13 13:12:08 2016 UTC > > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > > > Joining realm failed: HTTP response code is 403, not 200 > > > > Installation failed. Rolling back changes. > > IPA client is not configured on this system. > > > > I can't make sense of why I'd be seeing a 403 error. I've done my > share of searching but have not found a similar issue. Some have report > 401 errors in some circumstances, but not 403. > > > > Has anyone seen this before. > > > > Thanks, > > Rubin > > > > > > From rbinder at wooplagaming.com Wed Jul 20 18:45:40 2016 From: rbinder at wooplagaming.com (Rubin Binder) Date: Wed, 20 Jul 2016 15:45:40 -0300 (ADT) Subject: [Freeipa-users] FreeIPA Client Install 403 error In-Reply-To: <578FC400.8050205@redhat.com> References: <814962216.1539.1469035428066.JavaMail.rbinder@ASUS-RB> <8c9bdd69-c3ea-9b11-d3c3-030c07601744@redhat.com> <951404011.1559.1469039328355.JavaMail.rbinder@ASUS-RB> <578FC400.8050205@redhat.com> Message-ID: <1662292014.1590.1469040332784.JavaMail.rbinder@ASUS-RB> Rob, My apologies, I only provided a tail of the log, I should have provided more. I can see now there is much more detail in there. I followed your lead regarding the HTTP error log from the server and found this: [Wed Jul 20 14:33:39.410295 2016] [authz_core:error] [pid 27345] [client 172.16.10.12:49727] AH01630: client denied by server configuration: /usr/share/ipa/wsgi.py, referer: https://ldap.mydomain.com/ipa/xml So, that is most likely the next track for me to follow. Thank you for your assistance to this point, and in case there is interest here is the full client log: 2016-07-20T18:33:18Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'ip_addresses': [], 'configure_firefox': False, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'no_nisdomain': False, 'nisdomain': None, 'ca_cert_file': None, 'principal': None, 'keytab': None, 'hostname': None, 'request_cert': False, 'trust_sshfp': False, 'no_ac': False, 'unattended': None, 'all_ip_addresses': False, 'location': None, 'sssd': True, 'ntp_servers': None, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'firefox_dir': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'mkhomedir': False, 'uninstall': False} 2016-07-20T18:33:18Z DEBUG missing options might be asked for interactively later 2016-07-20T18:33:18Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.17 2016-07-20T18:33:18Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-07-20T18:33:18Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2016-07-20T18:33:18Z DEBUG Starting external process 2016-07-20T18:33:18Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service' 2016-07-20T18:33:18Z DEBUG Process finished, return code=0 2016-07-20T18:33:18Z DEBUG stdout=enabled 2016-07-20T18:33:18Z DEBUG stderr= 2016-07-20T18:33:18Z WARNING Using existing certificate '/etc/ipa/ca.crt'. 2016-07-20T18:33:18Z DEBUG [IPA Discovery] 2016-07-20T18:33:18Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=centostest.mydomain.com 2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in "mydomain.com" (domain of the hostname) and its sub-domains 2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com 2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:18Z DEBUG Search DNS for SRV record of _ldap._tcp.com 2016-07-20T18:33:18Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:18Z DEBUG Start searching for LDAP SRV record in "mydomain.com" (search domain from /etc/resolv.conf) and its sub-domains 2016-07-20T18:33:18Z DEBUG Already searched mydomain.com; skipping 2016-07-20T18:33:18Z DEBUG No LDAP server found 2016-07-20T18:33:18Z DEBUG No LDAP server found 2016-07-20T18:33:18Z INFO DNS discovery failed to determine your DNS domain 2016-07-20T18:33:20Z DEBUG will use interactively provided domain: mydomain.com 2016-07-20T18:33:20Z DEBUG [IPA Discovery] 2016-07-20T18:33:20Z DEBUG Starting IPA discovery with domain=mydomain.com, servers=None, hostname=centostest.mydomain.com 2016-07-20T18:33:20Z DEBUG Search for LDAP SRV record in mydomain.com 2016-07-20T18:33:20Z DEBUG Search DNS for SRV record of _ldap._tcp.mydomain.com 2016-07-20T18:33:20Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:20Z DEBUG No LDAP server found 2016-07-20T18:33:20Z DEBUG IPA Server not found 2016-07-20T18:33:20Z DEBUG DNS discovery failed to find the IPA Server 2016-07-20T18:33:23Z DEBUG will use interactively provided server: ldap.mydomain.com 2016-07-20T18:33:23Z DEBUG [IPA Discovery] 2016-07-20T18:33:23Z DEBUG Starting IPA discovery with domain=mydomain.com, servers=['ldap.mydomain.com'], hostname=centostest.mydomain.com 2016-07-20T18:33:23Z DEBUG Server and domain forced 2016-07-20T18:33:23Z DEBUG [Kerberos realm search] 2016-07-20T18:33:23Z DEBUG Search DNS for TXT record of _kerberos.mydomain.com 2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:23Z DEBUG Search DNS for SRV record of _kerberos._udp.mydomain.com 2016-07-20T18:33:23Z DEBUG DNS record not found: NXDOMAIN 2016-07-20T18:33:23Z DEBUG SRV record for KDC not found! Domain: mydomain.com 2016-07-20T18:33:23Z DEBUG [LDAP server check] 2016-07-20T18:33:23Z DEBUG Verifying that ldap.mydomain.com (realm None) is an IPA server 2016-07-20T18:33:23Z DEBUG Init LDAP connection to: ldap.mydomain.com 2016-07-20T18:33:24Z DEBUG Search LDAP server for IPA base DN 2016-07-20T18:33:24Z DEBUG Check if naming context 'dc=mydomain,dc=com' is for IPA 2016-07-20T18:33:24Z DEBUG Naming context 'dc=mydomain,dc=com' is a valid IPA context 2016-07-20T18:33:24Z DEBUG Search for (objectClass=krbRealmContainer) in dc=mydomain,dc=com (sub) 2016-07-20T18:33:24Z DEBUG Found: cn=MYDOMAION.COM,cn=kerberos,dc=mydomain,dc=com 2016-07-20T18:33:24Z DEBUG Discovery result: Success; server=ldap.mydomain.com, domain=mydomain.com, kdc=None, basedn=dc=mydomain,dc=com 2016-07-20T18:33:24Z DEBUG Validated servers: ldap.mydomain.com 2016-07-20T18:33:24Z WARNING The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. 2016-07-20T18:33:24Z INFO Autodiscovery of servers for failover cannot work with this configuration. 2016-07-20T18:33:24Z INFO If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. 2016-07-20T18:33:26Z DEBUG will use discovered realm: MYDOMAION.COM 2016-07-20T18:33:26Z DEBUG will use discovered basedn: dc=mydomain,dc=com 2016-07-20T18:33:26Z INFO Client hostname: centostest.mydomain.com 2016-07-20T18:33:26Z DEBUG Hostname source: Machine's FQDN 2016-07-20T18:33:26Z INFO Realm: MYDOMAION.COM 2016-07-20T18:33:26Z DEBUG Realm source: Discovered from LDAP DNS records in ldap.mydomain.com 2016-07-20T18:33:26Z INFO DNS Domain: mydomain.com 2016-07-20T18:33:26Z DEBUG DNS Domain source: Provided interactively 2016-07-20T18:33:26Z INFO IPA Server: ldap.mydomain.com 2016-07-20T18:33:26Z DEBUG IPA Server source: Provided interactively 2016-07-20T18:33:26Z INFO BaseDN: dc=mydomain,dc=com 2016-07-20T18:33:26Z DEBUG BaseDN source: From IPA server ldap://ldap.mydomain.com:389 2016-07-20T18:33:32Z DEBUG Starting external process 2016-07-20T18:33:32Z DEBUG args='/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'MYDOMAION.COM' 2016-07-20T18:33:32Z DEBUG Process finished, return code=3 2016-07-20T18:33:32Z DEBUG stdout= 2016-07-20T18:33:32Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory 2016-07-20T18:33:32Z INFO Skipping synchronizing time with NTP server. 2016-07-20T18:33:34Z DEBUG will use principal provided as option: admin 2016-07-20T18:33:34Z DEBUG Starting external process 2016-07-20T18:33:34Z DEBUG args='keyctl' 'get_persistent' '@s' '0' 2016-07-20T18:33:34Z DEBUG Process finished, return code=0 2016-07-20T18:33:34Z DEBUG stdout=354225941 2016-07-20T18:33:34Z DEBUG stderr= 2016-07-20T18:33:34Z DEBUG Enabling persistent keyring CCACHE 2016-07-20T18:33:34Z DEBUG Writing Kerberos configuration to /tmp/tmpGxQ6Xw: 2016-07-20T18:33:34Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MYDOMAION.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MYDOMAION.COM = { kdc = ldap.mydomain.com:88 master_kdc = ldap.mydomain.com:88 admin_server = ldap.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAION.COM mydomain.com = MYDOMAION.COM 2016-07-20T18:33:37Z DEBUG Initializing principal admin at MYDOMAION.COM using password 2016-07-20T18:33:37Z DEBUG Starting external process 2016-07-20T18:33:37Z DEBUG args='/usr/bin/kinit' 'admin at MYDOMAION.COM' '-c' '/tmp/tmpXBVcV7' 2016-07-20T18:33:37Z DEBUG Process finished, return code=0 2016-07-20T18:33:37Z DEBUG stdout=Password for admin at MYDOMAION.COM: 2016-07-20T18:33:37Z DEBUG stderr= 2016-07-20T18:33:37Z DEBUG trying to retrieve CA cert via LDAP from ldap.mydomain.com 2016-07-20T18:33:38Z DEBUG flushing ldap://ldap.mydomain.com:389 from SchemaCache 2016-07-20T18:33:38Z DEBUG retrieving schema for SchemaCache url=ldap://ldap.mydomain.com:389 conn= 2016-07-20T18:33:39Z DEBUG Existing CA cert and Retrieved CA cert are identical 2016-07-20T18:33:39Z DEBUG Starting external process 2016-07-20T18:33:39Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 2016-07-20T18:33:39Z DEBUG Process finished, return code=17 2016-07-20T18:33:39Z DEBUG stdout= 2016-07-20T18:33:39Z DEBUG stderr=HTTP response code is 403, not 200 2016-07-20T18:33:39Z ERROR Joining realm failed: HTTP response code is 403, not 200 2016-07-20T18:33:39Z ERROR Installation failed. Rolling back changes. 2016-07-20T18:33:39Z ERROR IPA client is not configured on this system. ----- Original Message ----- From: "Rob Crittenden" To: "Rubin Binder" , "Justin Stephenson" Cc: freeipa-users at redhat.com Sent: Wednesday, July 20, 2016 3:33:36 PM Subject: Re: [Freeipa-users] FreeIPA Client Install 403 error Rubin Binder wrote: > Justin, > > Thank you very much for the prompt response. The log output is as follows: > > 2016-07-20T17:02:52Z DEBUG Starting external process > 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' > 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' > 2016-07-20T17:02:52Z DEBUG Process finished, return code=17 > 2016-07-20T17:02:52Z DEBUG stdout= > 2016-07-20T17:02:52Z DEBUG stderr=HTTP response code is 403, not 200 > > 2016-07-20T17:02:52Z ERROR Joining realm failed: HTTP response code is > 403, not 200 > > 2016-07-20T17:02:52Z ERROR Installation failed. Rolling back changes. > 2016-07-20T17:02:52Z ERROR IPA client is not configured on this system. Seeing the entire file is usually more helpful but in this case you did provide a single clue. Return code 17 from ipa-join is a XML-RPC fault. This may be the same 403 as reported elsewhere. I'd suggest looking in /var/log/httpd/error_log on the master. rob > > Regards, > Rubin > > ------------------------------------------------------------------------ > *From: *"Justin Stephenson" > *To: *"Rubin Binder" , freeipa-users at redhat.com > *Sent: *Wednesday, July 20, 2016 2:49:16 PM > *Subject: *Re: [Freeipa-users] FreeIPA Client Install 403 error > > Could you please share with us the /var/log/ipaclient-install.log ? > > Kind regards, > > Justin Stephenson > > > On 07/20/2016 01:23 PM, Rubin Binder wrote: > > Hello all, > > > > I am testing Free IPA server for use under a test environment, so far > smooth sailing and have it up and running, no problems. > > > > The problem is occurring during client installation. I have installed > the ipa-client package on a clean CentOS 7 OS. When I execute > ipa-client-install... I get the following: > > > > Client hostname: centostest.mydomain.com > > Realm: MYDOMAIN.COM > > DNS Domain: mydomain.com > > IPA Server: ldap.mydomain.com > > BaseDN: dc=mydomain,dc=com > > > > Continue to configure the system with these values? [no]: yes > > Skipping synchronizing time with NTP server. > > User authorized to enroll computers: admin > > Password for admin at MYDOMAIN.COM: > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=MYDOMAIN.COM > > Issuer: CN=Certificate Authority,O=MYDOMAIN.COM > > Valid From: Wed Jul 13 13:12:08 2016 UTC > > Valid Until: Sun Jul 13 13:12:08 2036 UTC > > > > Joining realm failed: HTTP response code is 403, not 200 > > > > Installation failed. Rolling back changes. > > IPA client is not configured on this system. > > > > I can't make sense of why I'd be seeing a 403 error. I've done my > share of searching but have not found a similar issue. Some have report > 401 errors in some circumstances, but not 403. > > > > Has anyone seen this before. > > > > Thanks, > > Rubin > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Wed Jul 20 19:41:49 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Wed, 20 Jul 2016 15:41:49 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <578FC170.20405@redhat.com> References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> Message-ID: I have restarted the pki-cad and checked if communication with the CA is working, but no luck, Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of anything other than this? [root at caer ~]# ipa cert-show 1 Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= Subject: CN=Certificate Authority,O=TELOIP.NET Issuer: CN=Certificate Authority,O=TELOIP.NET Not Before: Wed Dec 14 22:29:56 2011 UTC Not After: Sat Dec 14 22:29:56 2019 UTC Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e Serial number (hex): 0x1 Serial number: 1 [root at caer ~]# *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ".* On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> Thanks for your help Rob, I will create a separate thread for IPA >> replication issue. But we are still getting >> * >> * >> *ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ".* >> >> Could you please help us to fix this? >> > > I think your CA isn't quite fixed yet. I'd restart pki-cad then do > something like: ipa cert-show 1 > > You should get back a cert (doesn't really matter what cert). > > Otherwise I'd check the CA debug log somewhere in /var/log/pki > > rob > > >> >> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > > wrote: >> >> Glad you got the certificates successfully renewed. >> >> Can you open a new e-mail thread on this new problem so we can keep >> the issues separated? >> >> IPA gets little information back when dogtag fails to install. You >> need to look in /var/log//debug for more information. The >> exact location depends on the version of IPA. >> >> rob >> >> Linov Suresh wrote: >> >> Great! That worked, and I was successfully renewed the >> certificates on >> the IPA server and I was trying to create a IPA replica server >> and got >> an error,[root at neit-lab > >~]# ipa-replica-install >> --setup-ca --setup-dns --no-forwarders --skip-conncheck >> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory >> Manager >> (existing master) password: Configuring NTP daemon (ntpd) [1/4]: >> stopping ntpd [2/4]: writing configuration [3/4]: configuring >> ntpd to >> start on boot [4/4]: starting ntpd Done configuring NTP daemon >> (ntpd). >> Configuring directory server for the CA (pkids): Estimated time 30 >> seconds [1/3]: creating directory server user [2/3]: creating >> directory >> server instance [3/3]: restarting directory server Done >> configuring >> directory server for the CA (pkids). Configuring certificate >> server >> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating >> certificate server user [2/17]: creating pki-ca instance [3/17]: >> configuring certificate server instance ipa : CRITICAL failed to >> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent >> ConfigureCA -cs_hostname neit-lab.teloip.net >> >> -cs_port 9445 -client_certdb_dir >> /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin >> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin >> -admin_email >> root at localhost > >-admin_password XXXXXXXX >> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET >> >> -ldap_host neit-lab.teloip.net >> -ldap_port >> 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX >> -base_dn >> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm >> SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name >> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA >> Subsystem,O=TELOIP.NET >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET >> >> -ca_ocsp_cert_subject_name CN=OCSP >> Subsystem,O=TELOIP.NET >> -ca_server_cert_subject_name >> CN=neit-lab.teloip.net >> ,O=TELOIP.NET >> -ca_audit_signing_cert_subject_name CN=CA >> Audit,O=TELOIP.NET >> -ca_sign_cert_subject_name >> CN=Certificate Authority,O=TELOIP.NET >> -external >> false -clone true -clone_p12_file ca.p12 -clone_p12_password >> XXXXXXXX >> -sd_hostname caer.teloip.net >> -sd_admin_port 443 >> -sd_admin_name admin -sd_admin_password XXXXXXXX >> -clone_start_tls true >> -clone_uri https://caer.teloip.net:443' >> returned non-zero exit status 255 >> Your >> system may be partly configured. Run /usr/sbin/ipa-server-install >> --uninstall to clean up. Configuration of CA failed [root at neit-lab >> >~]# >> >> I did a clean up using /usr/sbin/ipa-server-install --uninstall >> but it >> wasn't helpful.Wondering if you can help us on this, >> >> >> >> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden >> >> >> wrote: >> >> Linov Suresh wrote: >> >> I have followed Redhat official documentation, >> https://access.redhat.com/solutions/643753 for certificate >> renewal, >> which says *add: usercertificate. (step 12)* >> * >> * >> While on the other hand FreeIPA official documentaion >> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to >> *add: >> usercertificate;binary* >> >> Just wondering if we need to*add *the certificate? >> or*replace* the >> existing certificate and which format do we need to >> use? *pem* >> or *der*. >> >> We already successfully renewed the certificates about >> months >> back, but >> they were expired about 6 months back and we were not >> able to >> renew till >> now, and is affected our production environment. >> >> Pleas help us. >> >> >> You shouldn't have to mess with these values at all. In 3.0 >> this is >> handled somewhat automatically. >> >> I'd restart the CA, then certmonger and see if the >> communication >> error goes away for the CA subservice certificates (the >> internal error). >> >> # service pki-cad restart >> >> # service certmonger restart >> >> I find it very strange that the certificates were set to >> expire >> yesterday but it isn't a show-stopper necessarily assuming >> you can >> get the CA back up. >> >> Assuming you can, then go back in time again, this time >> just a few >> days and try renewing the LDAP and Apache server certs again. >> >> rob >> >> >> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh >> >> > >> > > >>> >> wrote: >> >> We have cloned and created another virtual server >> from the >> template. >> Surprisingly this server certificates were also >> expired at >> the same >> time as the previous, just lasted for a day. >> This issue has something to do with the kerberos >> tickets? >> >> I am new to IPA and your help is highly appreciated. >> >> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh >> > > > >> > > >>> >> wrote: >> >> *Update: my webserver and LDAP certificates >> were expired at >> 2016-07-18 15:54:36 UTC and the certificates >> are in >> CA_UNREACHABLE state.* >> * >> * >> *Could you please help us? >> * >> >> [root at caer tmp]# getcert list >> Number of certificates and requests being >> tracked: 8. >> Request ID '20111214223243': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will >> retry: -504 >> (libcurl failed to execute the HTTP POST >> transaction. Peer >> certificate cannot be authenticated with known >> CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> >> *expires: 2016-07-18 15:54:36 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223300': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will >> retry: -504 >> (libcurl failed to execute the HTTP POST >> transaction. Peer >> certificate cannot be authenticated with known >> CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> >> *expires: 2016-07-18 15:54:52 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223316': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will >> retry: -504 >> (libcurl failed to execute the HTTP POST >> transaction. Peer >> certificate cannot be authenticated with known >> CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> >> *expires: 2016-07-18 15:55:04 UTC* >> >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130519130741': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=CA Audit,O=TELOIP.NET >> >> >> expires: 2017-10-13 14:10:49 UTC >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130742': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=OCSP >> Subsystem,O=TELOIP.NET >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-OCSPSigning >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130743': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=CA Subsystem,O=TELOIP.NET >> >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130744': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=RA Subsystem,O=TELOIP.NET >> >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130519130745': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB',pin='297100916664' >> certificate: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> subject: CN=caer.teloip.net >> >> >> ,O=TELOIP.NET >> >> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_dirsrv >> "TELOIP.NET >> >> " >> track: yes >> auto-renew: yes >> >> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh >> > > > >> > > >>> >> wrote: >> >> Yes, PKI is running and I don't see any >> errors in >> selftests, >> I have followed >> https://access.redhat.com/solutions/643753 >> and restarted the PKI in step 10. >> >> The only change which I made was clean >> up userCertificate;binary before adding new >> userCertificatein LDAP, which is step 12. >> >> >> [root at caer ~]# /etc/init.d/pki-cad status >> pki-ca (pid 8634) is running... >> [ >> OK ] >> Unsecure Port = >> http://caer.teloip.net:9180/ca/ee/ca >> Secure Agent Port = >> https://caer.teloip.net:9443/ca/agent/ca >> Secure EE Port = >> https://caer.teloip.net:9444/ca/ee/ca >> Secure Admin Port = >> https://caer.teloip.net:9445/ca/services >> EE Client Auth Port = >> https://caer.teloip.net:9446/ca/eeca/ca >> PKI Console Port = pkiconsole >> https://caer.teloip.net:9445/ca >> Tomcat Port = 9701 (for >> shutdown) >> >> PKI Instance Name: pki-ca >> >> PKI Subsystem Type: Root CA >> (Security Domain) >> >> Registered PKI Security Domain >> Information: >> >> >> >> >> ========================================================================== >> Name: IPA >> URL: https://caer.teloip.net:9445 >> >> >> >> >> ========================================================================== >> [root at caer ~]# >> [root at caer ~]# tail -f >> /var/log/pki-ca/selftests.log >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading all self test >> plugin logger >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading all self test >> plugin >> instances >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading all self test >> plugin >> instance >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading self test >> plugins in >> on-demand order >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading self test >> plugins in >> startup order >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: Self test plugins have >> been >> successfully >> loaded! >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> SelfTestSubsystem: Running self test plugins >> specified to be >> executed at startup: >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> CAPresence: >> CA is present >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> SystemCertsVerification: system certs >> verification >> success >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> SelfTestSubsystem: All CRITICAL self test >> plugins ran >> SUCCESSFULLY at startup! >> >> Your help is highly appreciated! >> >> Linov Suresh >> >> 70 Forest Manor Rd. >> Toronto >> ON M2J 0A9 >> Mobile: +1 647 406 9438 >> >> >> >> Linkedin: ca.linkedin.com/in/linov/ >> >> >> >> Website: >> http://mylinuxthoughts.blogspot.com >> >> >> On Mon, Jul 18, 2016 at 10:50 AM, Petr >> Vobornik >> > > > >> > > >>> wrote: >> >> On 07/18/2016 05:45 AM, Linov Suresh >> wrote: >> > Thanks for the update Rob. I went >> back to Jan >> 20, 2016, restarted CA and >> > certmonger. Look like certificates >> were >> renewed. But I'm getting a different >> > error now, >> > >> > *ca-error: Internal error: no >> response to >> > >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> >> Is PKI running? When you change the >> time, does >> restart >> of IPA help? >> >> > >> > [root at caer ~]# getcert list >> > Number of certificates and requests >> being >> tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> >> >> >> > subject: >> CN=caer.teloip.net > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Wed Jul 20 20:04:16 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Wed, 20 Jul 2016 20:04:16 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> hiI check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate thembut command "getcert list" shows epirtion certificates are related just to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has enough time .would you please help me to know how to regenerate CA:IPA certificates? Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pakos.uk Wed Jul 20 21:26:08 2016 From: peter at pakos.uk (Peter Pakos) Date: Wed, 20 Jul 2016 22:26:08 +0100 Subject: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP! Message-ID: Hi, We moved our CA-less FreeIPA install into production only few days ago and today I've noticed some problem with certificates. This is FreeIPA 4.2 installation on Centos 7.2. I've installed the first node with the following command: ipa-server-install \ -U \ -r $REALM \ -n $DOMAIN \ -p $PASSWD \ -a $PASSWD \ --mkhomedir \ --setup-dns \ --no-forwarders \ --no-dnssec-validation \ --idstart=1100 \ --dirsrv-cert-file=${CERT_FILE} \ --dirsrv-cert-name=${CERT_NAME} \ --http-cert-file=${CERT_FILE} \ --http-cert-name=${CERT_NAME} \ --dirsrv-pin='' \ --http-pin='' The ${CERT_FILE} was in PKCS12 format and it included the whole certificate chain (AddTrustExternalCARoot.pem -> USERTrustRSACA.pem -> GandiStandardSSLCA2.pem -> star.ipa.wandisco.com.crt): $ openssl verify -verbose -CAfile <(cat AddTrustExternalCARoot.pem USERTrustRSACA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt star.ipa.wandisco.com.crt: OK Today I've noticed that the /etc/ipa/ca.crt file is not the same across all nodes and I've attempted to fix it by running ipa-certupdate. Now, instead of 3 CA certificates in /etc/ipa/ca.crt I can see 5 certificates (the last 2 are the same). To investigate this, I've split ca.cert into 5 separate files cert1-5: [root at shdc01 temp]# for i in {1..5}; do echo cert${i}; openssl x509 -in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done cert1 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root cert2 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert3 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 cert4 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert5 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority As you can see, cert4 and cert5 are equal yet listed twice and they are completely different to cert3 - the one from the certificate chain supplied by SSL provider. As per our previous conversation with Jan Cholasta, cert4/5 must have been added (by ipa-certupdate?) from certificates available on the server (ca-certificates package?). So now, we ended up with having "USERTrust RSA Certification Authority - AddTrust AB" listed twice - one of them is correct (from the chain), the other one is incorrect: [root at shdc01 ~]# certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, USERTrust RSA Certification Authority - AddTrust AB ,, [root at shdc01 ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GandiWildcardIPA u,u,u AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, USERTrust RSA Certification Authority - AddTrust AB ,, [root at shdc01 ~]# certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI USERTrust RSA Certification Authority - AddTrust AB ,, AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, Now, if I try to query FreeIPA's LDAP directory (for example using ldapsearch), I get the following errors: TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825). We can clearly see that the certificate chain advertised by the server is not correct hence it's failing SSL handshake: $ openssl s_client -connect shdc01.ipa.wandisco.com:636 CONNECTED(00000003) depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*. ipa.wandisco.com i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority Please correct me if I'm wrong, but I think that in order to fix this we will need to remove the incorrectly added certificate "USERTrust RSA Certification Authority - AddTrust AB", but which one since there 2 with exactly the same nickname? I haven't made any further changes to any of the servers as I would like to get your input first. Please get back to me as soon as possible, it is very important for us to recover from this state in a timely manner. I'm available on #freeipa under nickname peterpakos. Thanks in advance for your help. -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pakos.uk Wed Jul 20 22:44:29 2016 From: peter at pakos.uk (Peter Pakos) Date: Wed, 20 Jul 2016 23:44:29 +0100 Subject: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP! Message-ID: I've now set up a test box using exactly the same install command, SSL certificate etc... The /etc/ipa/ca.crt contains only 3 certificates but they are not CA certificates that were included in the PKCS12 file: [root at dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done cert1 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert2 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert3 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 So out of the box, the certificate "USERTrust RSA Certification Authority" is listed there twice. [root at dupa temp]# certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, [root at dupa temp]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GandiWildcardIPA u,u,u AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, [root at dupa temp]# certutil -L -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GandiWildcardIPA u,u,u AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, Please note, in the databases the certificate "USERTrust RSA Certification Authority - AddTrust AB" is only listed once. How do I fix our production installation? -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Thu Jul 21 07:00:42 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 21 Jul 2016 09:00:42 +0200 Subject: [Freeipa-users] regenerate certificate In-Reply-To: <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> Message-ID: On 07/20/2016 10:04 PM, mohammad sereshki wrote: > hi > I check my IPA server which is version ipa-server-3.0.0-25 , command > "ipa-get-cert list" show, my certificate will be expired in next 20 days, > I do not know how to regenerate them > but command "getcert list" shows epirtion certificates are related just > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough > time . > would you please help me to know how to regenerate CA:IPA certificates? > > Best Regards > > > Hi Mohammad, the certificates issued by IPA CA are normally tracked by certmonger and automatically renewed when they are near their expiration date. To make sure that your certificates are tracked, you can issue $ ipa-getcert list and check the "status:" field for each certificate. It should display "MONITORING". If you want to manually renew them, you must note their request ID and use the command $ ipa-getcert resubmit -i $REQUEST_ID Hope this helps, Flo. From mohammadsereshki at yahoo.com Thu Jul 21 07:59:19 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 07:59:19 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate In-Reply-To: References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> dear thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work. Number of certificates and requests being tracked: 8. Request ID '20140817123525': ??????? status: MONITORING ??????? ca-error: Unable to determine principal name for signing request. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=IPA RA,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert ??????? track: yes ??????? auto-renew: yes Request ID '20140817123534': ??????? status: CA_UNREACHABLE ??????? ca-error: Server failed request, will retry: 4301 (RPC failed at server.? Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). ??????? stuck: yes ??????? key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:35:34 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE.-COM ??????? track: yes ??????? auto-renew: yes Request ID '20140817123602': ??????? status: CA_UNREACHABLE ??????? ca-error: Server failed request, will retry: 4301 (RPC failed at server.? Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). ??????? stuck: yes ??????? key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:36:02 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA ??????? track: yes ??????? auto-renew: yes Request ID '20140817123752': ??????? status: CA_UNREACHABLE ??????? ca-error: Server failed request, will retry: 4301 (RPC failed at server.? Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). ??????? stuck: yes ??????? key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:37:51 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??????? track: yes ??????? auto-renew: yes You have new mail in /var/spool/mail/root From: Florence Blanc-Renaud To: mohammad sereshki ; Freeipa-users Sent: Thursday, July 21, 2016 11:30 AM Subject: Re: [Freeipa-users] regenerate certificate On 07/20/2016 10:04 PM, mohammad sereshki wrote: > hi > I check my IPA server which is version ipa-server-3.0.0-25 , command > "ipa-get-cert list" show, my certificate will be expired in next 20 days, > I do not know how to regenerate them > but command "getcert list" shows epirtion certificates are related just > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has enough > time . > would you please help me to know how to regenerate CA:IPA certificates? > > Best Regards > > > Hi Mohammad, the certificates issued by IPA CA are normally tracked by certmonger and automatically renewed when they are near their expiration date. To make sure that your certificates are tracked, you can issue $ ipa-getcert list and check the "status:" field for each certificate. It should display "MONITORING". If you want to manually renew them, you must note their request ID and use the command $ ipa-getcert resubmit -i $REQUEST_ID Hope this helps, Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jul 21 11:40:23 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 21 Jul 2016 13:40:23 +0200 Subject: [Freeipa-users] [howto] IPA (DNS) Locations Message-ID: <36ddffdd-729c-b034-d9b5-374955960be7@redhat.com> Hello all, I prepared howto for the new feature in IPA 4.4: https://www.freeipa.org/page/Howto/IPA_locations Feel free to report/fix any errors :-) With regards, Martin From jan.karasek at elostech.cz Thu Jul 21 11:56:33 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Thu, 21 Jul 2016 13:56:33 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <20160720160629.bietw7md672bm22c@redhat.com> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> <20160720160629.bietw7md672bm22c@redhat.com> Message-ID: <912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz> Thank you. Now I have IDMU installed and when creating trust, IPA is correctly autodetecting the range type: Range name: EXAMPLE.TT_id_range First Posix ID of the range: 10000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 Range type: Active Directory trust range with POSIX attributes When asking for uid of the AD user: [root at ipa1 sssd]# id user1 at example.tt uid=1392001119(user1 at example.tt) gid=1392001119(user1 at example.tt) groups=1392001119(user1 at example.tt),1392000513(domain users at example.tt),979000007(external_users) ... so ID-mapping is still in action. According to doc: To use existing POSIX attributes, two things must be configured: * The POSIX attributes must be published to Active Directory's global catalog. - done with uidNumber, gidNumber * ID mapping ( ldap_id_mapping in the Active Directory domain entry) must be disabled in SSSD. - done Here is my sssd.conf from IPA server. Is there anything else I should do to switch off ID-mapping ? [domain/a.example.tt] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = a.example.tt id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.a.example.tt chpass_provider = ipa ipa_server = ipa1.a.example.tt ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #subdomain_inherit = ldap_user_principal #ldap_user_principal = nosuchattribute [domain/example.tt] debug_level = 7 ldap_id_mapping = False id_provider = ad [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = a.example.tt, example.tt [nss] #debug_level = 5 #homedir_substring = /home enum_cache_timeout = 2 entry_negative_timeout = 2 [pam] #debug_level = 5 [sudo] [autofs] [ssh] #debug_level = 4 [pac] #debug_level = 4 [ifp] Regards, Jan From: "Alexander Bokovoy" To: "Jan Kar?sek" Cc: "Justin Stephenson" , freeipa-users at redhat.com Sent: Wednesday, July 20, 2016 6:06:29 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes On Wed, 20 Jul 2016, Jan Kar?sek wrote: >Hi, > >thank you. > >ldapsearch reply: > >search: 2 >result: 32 No such object >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best >match of: >'CN=RpcServices,CN=System,DC=rwe,DC=tt' > >actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. > >Do I missed to set something on the AD site ? Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft removed IDMU tools. The LDAP schema will stay but there will be no means to visually edit POSIX attributes. https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ > >Thanks, >Jan > > > > > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" >Cc: freeipa-users at redhat.com >Sent: Wednesday, July 20, 2016 4:09:02 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > >These attributes should be available from port 389 and not the global catalog, please try a command such as: > >ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber > >Replacing the root suffix in the search base, the ip-address and bind credentials. > >Kind regards, >Justin Stephenson > >On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > > > >Hi, > >thank you for the hint. > >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > >If I understand it right, it is base uid number and the number of uids in range. > >If not discovered nor given via CLI, then it generate random base and add some default_range_size. > >So these two attributes must be set to use ipa-ad-trust-posix range ? > >Could anybody help me how and where to check these attributes ? I have looked in the ldapsearch dump from my AD(Global calaog) and I can see these attributes only in schema - so no values assigned. >I'm using W2012 R2. > >Thank you, >Jan > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" , freeipa-users at redhat.com >Sent: Tuesday, July 19, 2016 8:36:00 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > >Hello, > >When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. > >You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > >I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. > >Kind regards, >Justin Stephenson > >On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > > > >Hi, > >I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? > >I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. > >What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > >Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. > >There is almost no documentation about this topic so I don't know what else I can try ... > >Thanks for help, > >Jan > > > >Date: Tue, 21 Jun 2016 21:38:15 +0200 >From: Jakub Hrozek >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] AD trust with POSIX attributes >Message-ID: <20160621193815.GS29512 at hendrix> >Content-Type: text/plain; charset=iso-8859-1 > >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: >> Hi all, >> >> I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. >> >> I have set up trust with this parameters: >> >> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator > >Did you add the POSIX attributes to AD after creating the trust maybe? > >> >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range >> Range name: EXAMPLE.TT_id_range >> First Posix ID of the range: 1392000000 >> Number of IDs in the range: 200000 >> Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 >> Range type: Active Directory trust range with POSIX attributes >> >> >> I have set attributes in AD for user at EXAMPLE.TT >> - uidNumber -10000 >> - homeDirectory -/home/user >> - loginShell - /bin/bash >> >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. >> >> Problem is, that I am not getting uid from AD but from idrange: >> >> uid=1392001107( user at example.tt ) >> >> Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. > >This has no effect, in IPA-AD trust scenario, the id mapping properties >are managed on the server. > >> >> I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. > >I think idviews are better for overriding POSIX attributes for a >specific set of hosts, but in your environment, it sounds like you want >to use the POSIX attributes across the board. > >> >> So my questions are: >> >> Is it possible to read user's POSIX attributes directly from AD - namely uid ? > >Yes > >> Which atributes can be stored in AD ? > >Homedir is a bit special, for backwards compatibility the >subdomains_homedir takes precedence. The others should be read from AD. > >I don't have the environment set at the moment, though, so I'm operating >purely from memory. > >> Am I doing something wrong ? >> >> my sssd.conf: >> [domain/a.example.tt] >> debug_level = 5 >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = a.example.tt >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = ipa1.a.example.tt >> chpass_provider = ipa >> ipa_server = ipa1.a.example.tt >> ipa_server_mode = True >> ldap_tls_cacert = /etc/ipa/ca.crt >> #ldap_id_mapping = true >> #subdomain_inherit = ldap_user_principal >> #ldap_user_principal = nosuchattribute >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = a.example.tt >> [nss] >> debug_level = 5 >> homedir_substring = /home >> enum_cache_timeout = 2 >> entry_negative_timeout = 2 >> >> >> [pam] >> debug_level = 5 >> [sudo] >> >> [autofs] >> >> [ssh] >> debug_level = 4 >> [pac] >> >> debug_level = 4 >> [ifp] >> >> Thanks, >> Jan > > > > > > > > > > > > > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jul 21 13:45:03 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jul 2016 15:45:03 +0200 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> Message-ID: <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> On 07/20/2016 09:41 PM, Linov Suresh wrote: > I have restarted the pki-cad and checked if communication with the CA is > working, but no luck, > > Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of > anything other than this? /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data /var/log/pki-ca/debug /var/log/pki-ca/transactions /var/log/pki-ca/selftest.log > > [root at caer ~]# ipa cert-show 1 > Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > Subject: CN=Certificate Authority,O=TELOIP.NET > Issuer: CN=Certificate Authority,O=TELOIP.NET > Not Before: Wed Dec 14 22:29:56 2011 UTC > Not After: Sat Dec 14 22:29:56 2019 UTC > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > Serial number (hex): 0x1 > Serial number: 1 > [root at caer ~]# > > *ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > * > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden > wrote: > > Linov Suresh wrote: > > Thanks for your help Rob, I will create a separate thread for IPA > replication issue. But we are still getting > * > * > *ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".* > > Could you please help us to fix this? > > > I think your CA isn't quite fixed yet. I'd restart pki-cad then do something > like: ipa cert-show 1 > > You should get back a cert (doesn't really matter what cert). > > Otherwise I'd check the CA debug log somewhere in /var/log/pki > > rob > > > > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > >> wrote: > > Glad you got the certificates successfully renewed. > > Can you open a new e-mail thread on this new problem so we can keep > the issues separated? > > IPA gets little information back when dogtag fails to install. You > need to look in /var/log//debug for more information. The > exact location depends on the version of IPA. > > rob > > Linov Suresh wrote: > > Great! That worked, and I was successfully renewed the > certificates on > the IPA server and I was trying to create a IPA replica server > and got > an error,[root at neit-lab > >>~]# > ipa-replica-install > --setup-ca --setup-dns --no-forwarders --skip-conncheck > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager > (existing master) password: Configuring NTP daemon (ntpd) [1/4]: > stopping ntpd [2/4]: writing configuration [3/4]: configuring > ntpd to > start on boot [4/4]: starting ntpd Done configuring NTP daemon > (ntpd). > Configuring directory server for the CA (pkids): Estimated time 30 > seconds [1/3]: creating directory server user [2/3]: creating > directory > server instance [3/3]: restarting directory server Done configuring > directory server for the CA (pkids). Configuring certificate server > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating > certificate server user [2/17]: creating pki-ca instance [3/17]: > configuring certificate server instance ipa : CRITICAL failed to > configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent > ConfigureCA -cs_hostname neit-lab.teloip.net > > > -cs_port 9445 -client_certdb_dir > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin > -admin_email > root at localhost > >>-admin_password > XXXXXXXX > -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET > > > -ldap_host neit-lab.teloip.net > > -ldap_port > 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name > pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA > Subsystem,O=TELOIP.NET > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET > > > -ca_ocsp_cert_subject_name CN=OCSP > Subsystem,O=TELOIP.NET > > -ca_server_cert_subject_name > CN=neit-lab.teloip.net > > ,O=TELOIP.NET > > -ca_audit_signing_cert_subject_name CN=CA > Audit,O=TELOIP.NET > > -ca_sign_cert_subject_name > CN=Certificate Authority,O=TELOIP.NET > > -external > false -clone true -clone_p12_file ca.p12 -clone_p12_password > XXXXXXXX > -sd_hostname caer.teloip.net > > -sd_admin_port 443 > -sd_admin_name admin -sd_admin_password XXXXXXXX > -clone_start_tls true > -clone_uri https://caer.teloip.net:443' > returned non-zero exit status 255 > Your > system may be partly configured. Run /usr/sbin/ipa-server-install > --uninstall to clean up. Configuration of CA failed [root at neit-lab > > >>~]# > > I did a clean up using /usr/sbin/ipa-server-install --uninstall > but it > wasn't helpful.Wondering if you can help us on this, > > > > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > > > > > >>> wrote: > > Linov Suresh wrote: > > I have followed Redhat official documentation, > https://access.redhat.com/solutions/643753 for certificate renewal, > which says *add: usercertificate. (step 12)* > * > * > While on the other hand FreeIPA official documentaion > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to > *add: > usercertificate;binary* > > Just wondering if we need to*add *the certificate? > or*replace* the > existing certificate and which format do we need to > use? *pem* > or *der*. > > We already successfully renewed the certificates about > months > back, but > they were expired about 6 months back and we were not > able to > renew till > now, and is affected our production environment. > > Pleas help us. > > > You shouldn't have to mess with these values at all. In 3.0 > this is > handled somewhat automatically. > > I'd restart the CA, then certmonger and see if the > communication > error goes away for the CA subservice certificates (the > internal error). > > # service pki-cad restart > > # service certmonger restart > > I find it very strange that the certificates were set to > expire > yesterday but it isn't a show-stopper necessarily assuming > you can > get the CA back up. > > Assuming you can, then go back in time again, this time > just a few > days and try renewing the LDAP and Apache server certs again. > > rob > > > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > > > > >> > > > > > >>>> > wrote: > > We have cloned and created another virtual server > from the > template. > Surprisingly this server certificates were also > expired at > the same > time as the previous, just lasted for a day. > This issue has something to do with the kerberos > tickets? > > I am new to IPA and your help is highly appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh > > > > > >> > > > > > >>>> > wrote: > > *Update: my webserver and LDAP certificates > were expired at > 2016-07-18 15:54:36 UTC and the certificates > are in > CA_UNREACHABLE state.* > * > * > *Could you please help us? > * > > [root at caer tmp]# getcert list > Number of certificates and requests being > tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > > ,O=TELOIP.NET > > > > *expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > > ,O=TELOIP.NET > > > > *expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with known CA > certificates). > stuck: yes > key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > > ,O=TELOIP.NET > > > > *expires: 2016-07-18 15:55:04 UTC* > > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=CA Audit,O=TELOIP.NET > > > > expires: 2017-10-13 14:10:49 UTC > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=OCSP > Subsystem,O=TELOIP.NET > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: no > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=CA > Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=RA > Subsystem,O=TELOIP.NET > > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > subject: CN=caer.teloip.net > > > > ,O=TELOIP.NET > > > > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_dirsrv > "TELOIP.NET > > " > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh > > > > > >> > > > > > >>>> > wrote: > > Yes, PKI is running and I don't see any > errors in > selftests, > I have followed > https://access.redhat.com/solutions/643753 > and restarted the PKI in step 10. > > The only change which I made was clean > up userCertificate;binary before adding new > userCertificatein LDAP, which is step 12. > > > [root at caer ~]# /etc/init.d/pki-cad status > pki-ca (pid 8634) is running... > [ > OK ] > Unsecure Port = > http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = > https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = > https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = > https://caer.teloip.net:9445/ca/services > EE Client Auth Port = > https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole > https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for > shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA > (Security Domain) > > Registered PKI Security Domain > Information: > > > > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > > > > ========================================================================== > [root at caer ~]# > [root at caer ~]# tail -f > /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self test > plugin logger > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self test > plugin > instances > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self test > plugin > instance > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading self test > plugins in > on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading self test > plugins in > startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: Self test plugins have > been > successfully > loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SelfTestSubsystem: Running self test plugins > specified to be > executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > CAPresence: > CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SystemCertsVerification: system certs > verification > success > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SelfTestSubsystem: All CRITICAL self test > plugins ran > SUCCESSFULLY at startup! > > Your help is highly appreciated! > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > > > > > Linkedin: ca.linkedin.com/in/linov/ > > > > > Website: > http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr > Vobornik > > > > > >> > > > > > >>>> wrote: > > On 07/18/2016 05:45 AM, Linov Suresh > wrote: > > Thanks for the update Rob. I went > back to Jan > 20, 2016, restarted CA and > > certmonger. Look like certificates were > renewed. But I'm getting a different > > error now, > > > > *ca-error: Internal error: no > response to > > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".* > > Is PKI running? When you change the > time, does > restart > of IPA help? > > > > > [root at caer ~]# getcert list > > Number of certificates and requests > being > tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > > subject: > CN=caer.teloip.net > > > -- Petr Vobornik From jstephen at redhat.com Thu Jul 21 13:54:25 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Thu, 21 Jul 2016 09:54:25 -0400 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz> References: <1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz> <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> <20160720160629.bietw7md672bm22c@redhat.com> <912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz> Message-ID: Hello, You should remove the following from sssd.conf: /[domain/example.tt]// //debug_level = 7// //ldap_id_mapping = False// //id_provider = ad/ With the AD trust configuration, you do not need to specify any additional domain because IPA will contact AD across the trust using the external and POSIX groups you created during the trust setup. Once done try restarting sssd and removing the /var/lib/sss/db/* cache Kind regards, Justin Stephenson On 07/21/2016 07:56 AM, Jan Kar?sek wrote: > Thank you. > > Now I have IDMU installed and when creating trust, IPA is correctly > autodetecting the range type: > > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 10000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: > S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > When asking for uid of the AD user: > > [root at ipa1 sssd]# id user1 at example.tt > uid=1392001119(user1 at example.tt) gid=1392001119(user1 at example.tt) > groups=1392001119(user1 at example.tt),1392000513(domain > users at example.tt),979000007(external_users) > > > ... so ID-mapping is still in action. > > According to doc: > > To use existing POSIX attributes, two things must be configured: > > * > The POSIX attributes must be published to Active Directory's > global catalog. - done with uidNumber, gidNumber > * > ID mapping (|ldap_id_mapping| in the Active Directory domain > entry) must be disabled in SSSD. - done > > Here is my sssd.conf from IPA server. Is there anything else I should > do to switch off ID-mapping ? > > [domain/a.example.tt] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [domain/example.tt] > debug_level = 7 > ldap_id_mapping = False > id_provider = ad > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > domains = a.example.tt, example.tt > > [nss] > #debug_level = 5 > #homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > #debug_level = 5 > [sudo] > > [autofs] > > [ssh] > #debug_level = 4 > [pac] > > #debug_level = 4 > [ifp] > > > Regards, > Jan > ------------------------------------------------------------------------ > *From: *"Alexander Bokovoy" > *To: *"Jan Kar?sek" > *Cc: *"Justin Stephenson" , freeipa-users at redhat.com > *Sent: *Wednesday, July 20, 2016 6:06:29 PM > *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes > > On Wed, 20 Jul 2016, Jan Kar?sek wrote: > >Hi, > > > >thank you. > > > >ldapsearch reply: > > > >search: 2 > >result: 32 No such object > >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt > >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), > data 0, best > >match of: > >'CN=RpcServices,CN=System,DC=rwe,DC=tt' > > > >actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt > - it is empty. > > > >Do I missed to set something on the AD site ? > Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft > removed IDMU tools. The LDAP schema will stay but there will > be no means to visually edit POSIX attributes. > > https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ > > > > > > >Thanks, > >Jan > > > > > > > > > > > > > > > >From: "Justin Stephenson" > >To: "Jan Kar?sek" > >Cc: freeipa-users at redhat.com > >Sent: Wednesday, July 20, 2016 4:09:02 PM > >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > > > > > >These attributes should be available from port 389 and not the global > catalog, please try a command such as: > > > >ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b > "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" > msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber > > > >Replacing the root suffix in the search base, the ip-address and bind > credentials. > > > >Kind regards, > >Justin Stephenson > > > >On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > > > > > > > >Hi, > > > >thank you for the hint. > > > >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > > > >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > > > >If I understand it right, it is base uid number and the number of > uids in range. > > > >If not discovered nor given via CLI, then it generate random base and > add some default_range_size. > > > >So these two attributes must be set to use ipa-ad-trust-posix range ? > > > >Could anybody help me how and where to check these attributes ? I > have looked in the ldapsearch dump from my AD(Global calaog) and I can > see these attributes only in schema - so no values assigned. > >I'm using W2012 R2. > > > >Thank you, > >Jan > > > > > > > >From: "Justin Stephenson" > >To: "Jan Kar?sek" , freeipa-users at redhat.com > >Sent: Tuesday, July 19, 2016 8:36:00 PM > >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > >Hello, > > > >When adding the AD trust using 'ipa-ad-trust-posix' range type then > IPA will search AD for the ID space of existing POSIX attributes to > automatically create a suitable ID range inside IPA. > > > >You can check the exact steps and attributes searched by looking at > the add_range function definition in > /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > > > >I would suggest reviewing the output of 'ipa idrange-find' to confirm > that the range matches up with the uid and gidNumbers of your AD > environment. > > > >Kind regards, > >Justin Stephenson > > > >On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > > > >BQ_BEGIN > > > >Hi, > > > >I am still fighting with storing user's POSIX attributes in AD. > Please can anybody provide some simple reference settings of IPA-AD > trust where users are able to get uid from AD - not from IPA ID pool ? > > > >I have tried to set values of attributes before and after creating > trust, I have tried different sssd setting but I'm still getting uid > from IPA idrange pool instead of from AD user's attribute. > > > >What exactly is IPA checking when it tries to decide what type of > trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > > > >Do I have to mandatory fill some AD user's attributes to get it work > ? Currently I'am testing just with uidNumber and gidNumber. > > > >There is almost no documentation about this topic so I don't know > what else I can try ... > > > >Thanks for help, > > > >Jan > > > > > > > >Date: Tue, 21 Jun 2016 21:38:15 +0200 > >From: Jakub Hrozek > >To: freeipa-users at redhat.com > >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > >Message-ID: <20160621193815.GS29512 at hendrix> > >Content-Type: text/plain; charset=iso-8859-1 > > > >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > >> Hi all, > >> > >> I have a questions about IPA with AD forest trust. What I am trying > to do is setup environment, where all informations about users are > stored in one place - AD. I would like to read at least uid, home, > shell and sshkey from AD. > >> > >> I have set up trust with this parameters: > >> > >> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix > --admin=administrator > > > >Did you add the POSIX attributes to AD after creating the trust maybe? > > > >> > >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > >> Range name: EXAMPLE.TT_id_range > >> First Posix ID of the range: 1392000000 > >> Number of IDs in the range: 200000 > >> Domain SID of the trusted domain: > S-1-5-21-4123312533-990676102-3576722756 > >> Range type: Active Directory trust range with POSIX attributes > >> > >> > >> I have set attributes in AD for user at EXAMPLE.TT > >> - uidNumber -10000 > >> - homeDirectory -/home/user > >> - loginShell - /bin/bash > >> > >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I > can run id and getent passwd user at example.tt and I can use > user at example.tt for ssh. > >> > >> Problem is, that I am not getting uid from AD but from idrange: > >> > >> uid=1392001107( user at example.tt ) > >> > >> Also I have tried to switch off id mapping in sssd.conf with > ldap_id_mapping = true in sssd.conf but no luck. > > > >This has no effect, in IPA-AD trust scenario, the id mapping properties > >are managed on the server. > > > >> > >> I know, that it is probably better to use ID views for this, but in > our case we need to set centrally managed environment, where all users > information are externally inserted to AD from HR system - included > POSIX attributes and we need IPA to read them from AD. > > > >I think idviews are better for overriding POSIX attributes for a > >specific set of hosts, but in your environment, it sounds like you want > >to use the POSIX attributes across the board. > > > >> > >> So my questions are: > >> > >> Is it possible to read user's POSIX attributes directly from AD - > namely uid ? > > > >Yes > > > >> Which atributes can be stored in AD ? > > > >Homedir is a bit special, for backwards compatibility the > >subdomains_homedir takes precedence. The others should be read from AD. > > > >I don't have the environment set at the moment, though, so I'm operating > >purely from memory. > > > >> Am I doing something wrong ? > >> > >> my sssd.conf: > >> [domain/a.example.tt] > >> debug_level = 5 > >> cache_credentials = True > >> krb5_store_password_if_offline = True > >> ipa_domain = a.example.tt > >> id_provider = ipa > >> auth_provider = ipa > >> access_provider = ipa > >> ipa_hostname = ipa1.a.example.tt > >> chpass_provider = ipa > >> ipa_server = ipa1.a.example.tt > >> ipa_server_mode = True > >> ldap_tls_cacert = /etc/ipa/ca.crt > >> #ldap_id_mapping = true > >> #subdomain_inherit = ldap_user_principal > >> #ldap_user_principal = nosuchattribute > >> > >> [sssd] > >> services = nss, sudo, pam, ssh > >> config_file_version = 2 > >> > >> domains = a.example.tt > >> [nss] > >> debug_level = 5 > >> homedir_substring = /home > >> enum_cache_timeout = 2 > >> entry_negative_timeout = 2 > >> > >> > >> [pam] > >> debug_level = 5 > >> [sudo] > >> > >> [autofs] > >> > >> [ssh] > >> debug_level = 4 > >> [pac] > >> > >> debug_level = 4 > >> [ifp] > >> > >> Thanks, > >> Jan > > > > > > > > > > > > > > > > > > > > > > > > > >BQ_END > > > > > > >-- > >Manage your subscription for the Freeipa-users mailing list: > >https://www.redhat.com/mailman/listinfo/freeipa-users > >Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Thu Jul 21 14:04:51 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Thu, 21 Jul 2016 10:04:51 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> Message-ID: This could be because of incorrect trust attributes trust on the certificates, the current attributes are, [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu I'm going to fix the trust attributes and try. On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik wrote: > On 07/20/2016 09:41 PM, Linov Suresh wrote: > > I have restarted the pki-cad and checked if communication with the CA is > > working, but no luck, > > > > Debug logs in /var/log/pki-ca do not have anything unusual. Can you > think of > > anything other than this? > > /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true > > https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data > > /var/log/pki-ca/debug > /var/log/pki-ca/transactions > /var/log/pki-ca/selftest.log > > > > > [root at caer ~]# ipa cert-show 1 > > Certificate: > MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > > Subject: CN=Certificate Authority,O=TELOIP.NET > > Issuer: CN=Certificate Authority,O=TELOIP.NET > > Not Before: Wed Dec 14 22:29:56 2011 UTC > > Not After: Sat Dec 14 22:29:56 2019 UTC > > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > > Fingerprint (SHA1): > ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > > Serial number (hex): 0x1 > > Serial number: 1 > > [root at caer ~]# > > > > *ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > * > > > > > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden > > wrote: > > > > Linov Suresh wrote: > > > > Thanks for your help Rob, I will create a separate thread for IPA > > replication issue. But we are still getting > > * > > * > > *ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ".* > > > > Could you please help us to fix this? > > > > > > I think your CA isn't quite fixed yet. I'd restart pki-cad then do > something > > like: ipa cert-show 1 > > > > You should get back a cert (doesn't really matter what cert). > > > > Otherwise I'd check the CA debug log somewhere in /var/log/pki > > > > rob > > > > > > > > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden < > rcritten at redhat.com > > > > >> > wrote: > > > > Glad you got the certificates successfully renewed. > > > > Can you open a new e-mail thread on this new problem so we > can keep > > the issues separated? > > > > IPA gets little information back when dogtag fails to > install. You > > need to look in /var/log//debug for more > information. The > > exact location depends on the version of IPA. > > > > rob > > > > Linov Suresh wrote: > > > > Great! That worked, and I was successfully renewed the > > certificates on > > the IPA server and I was trying to create a IPA replica > server > > and got > > an error,[root at neit-lab > > > >>~]# > > ipa-replica-install > > --setup-ca --setup-dns --no-forwarders --skip-conncheck > > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg > Directory Manager > > (existing master) password: Configuring NTP daemon > (ntpd) [1/4]: > > stopping ntpd [2/4]: writing configuration [3/4]: > configuring > > ntpd to > > start on boot [4/4]: starting ntpd Done configuring NTP > daemon > > (ntpd). > > Configuring directory server for the CA (pkids): > Estimated time 30 > > seconds [1/3]: creating directory server user [2/3]: > creating > > directory > > server instance [3/3]: restarting directory server Done > configuring > > directory server for the CA (pkids). Configuring > certificate server > > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: > creating > > certificate server user [2/17]: creating pki-ca > instance [3/17]: > > configuring certificate server instance ipa : CRITICAL > failed to > > configure ca instance Command '/usr/bin/perl > /usr/bin/pkisilent > > ConfigureCA -cs_hostname neit-lab.teloip.net > > > > > > -cs_port 9445 > -client_certdb_dir > > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin > > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin > > -admin_email > > root at localhost root at localhost> > > >>>-admin_password > > XXXXXXXX > > -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa > > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET > > > > > > -ldap_host neit-lab.teloip.net < > http://neit-lab.teloip.net> > > > > -ldap_port > > 7389 -bind_dn cn=Directory Manager -bind_password > XXXXXXXX -base_dn > > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm > > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name > > pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA > > Subsystem,O=TELOIP.NET < > http://TELOIP.NET> > > > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O= > TELOIP.NET > > > > > > -ca_ocsp_cert_subject_name CN=OCSP > > Subsystem,O=TELOIP.NET < > http://TELOIP.NET> > > > > -ca_server_cert_subject_name > > CN=neit-lab.teloip.net > > > > ,O=TELOIP.NET < > http://TELOIP.NET> > > > > > -ca_audit_signing_cert_subject_name CN=CA > > Audit,O=TELOIP.NET < > http://TELOIP.NET> > > > > -ca_sign_cert_subject_name > > CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > -external > > false -clone true -clone_p12_file ca.p12 > -clone_p12_password > > XXXXXXXX > > -sd_hostname caer.teloip.net > > > > -sd_admin_port 443 > > -sd_admin_name admin -sd_admin_password XXXXXXXX > > -clone_start_tls true > > -clone_uri https://caer.teloip.net:443' > > returned non-zero exit > status 255 > > Your > > system may be partly configured. Run > /usr/sbin/ipa-server-install > > --uninstall to clean up. Configuration of CA failed > [root at neit-lab > > > > >>~]# > > > > I did a clean up using /usr/sbin/ipa-server-install > --uninstall > > but it > > wasn't helpful.Wondering if you can help us on this, > > > > > > > > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > > > > > > > > > > >>> > wrote: > > > > Linov Suresh wrote: > > > > I have followed Redhat official documentation, > > https://access.redhat.com/solutions/643753 for certificate > renewal, > > which says *add: usercertificate. (step 12)* > > * > > * > > While on the other hand FreeIPA official > documentaion > > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to > > *add: > > usercertificate;binary* > > > > Just wondering if we need to*add *the > certificate? > > or*replace* the > > existing certificate and which format do we > need to > > use? *pem* > > or *der*. > > > > We already successfully renewed the > certificates about > > months > > back, but > > they were expired about 6 months back and we > were not > > able to > > renew till > > now, and is affected our production > environment. > > > > Pleas help us. > > > > > > You shouldn't have to mess with these values at > all. In 3.0 > > this is > > handled somewhat automatically. > > > > I'd restart the CA, then certmonger and see if the > > communication > > error goes away for the CA subservice certificates > (the > > internal error). > > > > # service pki-cad restart > > > > # service certmonger restart > > > > I find it very strange that the certificates were > set to > > expire > > yesterday but it isn't a show-stopper necessarily > assuming > > you can > > get the CA back up. > > > > Assuming you can, then go back in time again, this > time > > just a few > > days and try renewing the LDAP and Apache server > certs again. > > > > rob > > > > > > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > > > > > > > linov.suresh at gmail.com> > > >> > > > > > linov.suresh at gmail.com>> > > > > linov.suresh at gmail.com>>>>> > > wrote: > > > > We have cloned and created another > virtual server > > from the > > template. > > Surprisingly this server certificates > were also > > expired at > > the same > > time as the previous, just lasted for a > day. > > This issue has something to do with the > kerberos > > tickets? > > > > I am new to IPA and your help is highly > appreciated. > > > > On Mon, Jul 18, 2016 at 12:37 PM, Linov > Suresh > > > > > linov.suresh at gmail.com>> > > > > linov.suresh at gmail.com>>> > > > > > linov.suresh at gmail.com>> > > > > linov.suresh at gmail.com>>>>> > > wrote: > > > > *Update: my webserver and LDAP > certificates > > were expired at > > 2016-07-18 15:54:36 UTC and the > certificates > > are in > > CA_UNREACHABLE state.* > > * > > * > > *Could you please help us? > > * > > > > [root at caer tmp]# getcert list > > Number of certificates and requests > being > > tracked: 8. > > Request ID '20111214223243': > > status: CA_UNREACHABLE > > ca-error: Server failed > request, will > > retry: -504 > > (libcurl failed to execute the HTTP > POST > > transaction. Peer > > certificate cannot be authenticated > with known CA > > certificates). > > stuck: yes > > key pair storage: > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=caer.teloip.net > > > > > > > > ,O=TELOIP.NET > > > > > > > > *expires: 2016-07-18 15:54:36 UTC* > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: CA_UNREACHABLE > > ca-error: Server failed > request, will > > retry: -504 > > (libcurl failed to execute the HTTP > POST > > transaction. Peer > > certificate cannot be authenticated > with known CA > > certificates). > > stuck: yes > > key pair storage: > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=caer.teloip.net > > > > > > > > ,O=TELOIP.NET > > > > > > > > *expires: 2016-07-18 15:54:52 UTC* > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: CA_UNREACHABLE > > ca-error: Server failed > request, will > > retry: -504 > > (libcurl failed to execute the HTTP > POST > > transaction. Peer > > certificate cannot be authenticated > with known CA > > certificates). > > stuck: yes > > key pair storage: > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=caer.teloip.net > > > > > > > > ,O=TELOIP.NET > > > > > > > > *expires: 2016-07-18 15:55:04 UTC* > > > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: MONITORING > > ca-error: Internal error: no > response to > > > > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate > > DB',pin='297100916664' > > certificate: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate > DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=CA Audit,O= > TELOIP.NET > > > > > > > > expires: 2017-10-13 14:10:49 > UTC > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: MONITORING > > ca-error: Internal error: no > response to > > > > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate > > DB',pin='297100916664' > > certificate: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate > DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=OCSP > > Subsystem,O=TELOIP.NET < > http://TELOIP.NET> > > > > expires: 2017-10-13 14:09:49 > UTC > > eku: id-kp-OCSPSigning > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert > > cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: MONITORING > > ca-error: Internal error: no > response to > > > > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate > > DB',pin='297100916664' > > certificate: > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate > DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=CA > > Subsystem,O=TELOIP.NET > > > > > > expires: 2017-10-13 14:09:49 > UTC > > eku: > id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert > > cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no > response to > > > > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=RA > > Subsystem,O=TELOIP.NET > > > > > > expires: 2017-10-13 14:09:49 > UTC > > eku: > id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: MONITORING > > ca-error: Internal error: no > response to > > > > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > Certificate DB',pin='297100916664' > > certificate: > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate > > Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > > subject: CN=caer.teloip.net > > > > > > > > ,O=TELOIP.NET > > > > > > > > expires: 2017-10-13 14:09:49 > UTC > > eku: > id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > > /usr/lib64/ipa/certmonger/restart_dirsrv > > "TELOIP.NET > > > > " > > track: yes > > auto-renew: yes > > > > On Mon, Jul 18, 2016 at 12:00 PM, > Linov Suresh > > > > > linov.suresh at gmail.com>> > > > > linov.suresh at gmail.com>>> > > > > > linov.suresh at gmail.com>> > > > > linov.suresh at gmail.com>>>>> > > wrote: > > > > Yes, PKI is running and I don't > see any > > errors in > > selftests, > > I have followed > > https://access.redhat.com/solutions/643753 > > and restarted the PKI in step 10. > > > > The only change which I made was > clean > > up userCertificate;binary before > adding new > > userCertificatein LDAP, which is > step 12. > > > > > > [root at caer ~]# > /etc/init.d/pki-cad status > > pki-ca (pid 8634) is running... > > [ > > OK ] > > Unsecure Port = > > http://caer.teloip.net:9180/ca/ee/ca > > Secure Agent Port = > > https://caer.teloip.net:9443/ca/agent/ca > > Secure EE Port = > > https://caer.teloip.net:9444/ca/ee/ca > > Secure Admin Port = > > https://caer.teloip.net:9445/ca/services > > EE Client Auth Port = > > https://caer.teloip.net:9446/ca/eeca/ca > > PKI Console Port = > pkiconsole > > https://caer.teloip.net:9445/ca > > Tomcat Port = 9701 > (for > > shutdown) > > > > PKI Instance Name: pki-ca > > > > PKI Subsystem Type: Root CA > > (Security Domain) > > > > Registered PKI Security > Domain > > Information: > > > > > > > > > > > ========================================================================== > > Name: IPA > > URL: > https://caer.teloip.net:9445 > > > > > > > > > > > ========================================================================== > > [root at caer ~]# > > [root at caer ~]# tail -f > > /var/log/pki-ca/selftests.log > > 8634.main - [18/Jul/2016:11:46:20 > EDT] > > [20] [1] > > SelfTestSubsystem: loading all > self test > > plugin logger > > parameters > > 8634.main - [18/Jul/2016:11:46:20 > EDT] > > [20] [1] > > SelfTestSubsystem: loading all > self test > > plugin > > instances > > 8634.main - [18/Jul/2016:11:46:20 > EDT] > > [20] [1] > > SelfTestSubsystem: loading all > self test > > plugin > > instance > > parameters > > 8634.main - [18/Jul/2016:11:46:20 > EDT] > > [20] [1] > > SelfTestSubsystem: loading self > test > > plugins in > > on-demand order > > 8634.main - [18/Jul/2016:11:46:20 > EDT] > > [20] [1] > > SelfTestSubsystem: loading self > test > > plugins in > > startup order > > 8634.main - [18/Jul/2016:11:46:20 > EDT] > > [20] [1] > > SelfTestSubsystem: Self test > plugins have > > been > > successfully > > loaded! > > 8634.main - [18/Jul/2016:11:46:21 > EDT] > > [20] [1] > > SelfTestSubsystem: Running self > test plugins > > specified to be > > executed at startup: > > 8634.main - [18/Jul/2016:11:46:21 > EDT] > > [20] [1] > > CAPresence: > > CA is present > > 8634.main - [18/Jul/2016:11:46:21 > EDT] > > [20] [1] > > SystemCertsVerification: system > certs > > verification > > success > > 8634.main - [18/Jul/2016:11:46:21 > EDT] > > [20] [1] > > SelfTestSubsystem: All CRITICAL > self test > > plugins ran > > SUCCESSFULLY at startup! > > > > Your help is highly appreciated! > > > > Linov Suresh > > > > 70 Forest Manor Rd. > > Toronto > > ON M2J 0A9 > > Mobile: +1 647 406 9438 > > > > > > > > > > Linkedin: > ca.linkedin.com/in/linov/ > > > > > > > > < > http://ca.linkedin.com/in/linov/> > > Website: > > http://mylinuxthoughts.blogspot.com > > > > > > On Mon, Jul 18, 2016 at 10:50 AM, > Petr > > Vobornik > > > > > >> > > > > >>> > > pvoborni at redhat.com> > > >> > > > > >>>> > wrote: > > > > On 07/18/2016 05:45 AM, Linov > Suresh > > wrote: > > > Thanks for the update Rob. > I went > > back to Jan > > 20, 2016, restarted CA and > > > certmonger. Look like > certificates were > > renewed. But I'm getting a different > > > error now, > > > > > > *ca-error: Internal error: > no > > response to > > > > > > > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ".* > > > > Is PKI running? When you > change the > > time, does > > restart > > of IPA help? > > > > > > > > [root at caer ~]# getcert list > > > Number of certificates and > requests > > being > > tracked: 8. > > > Request ID '20111214223243': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: > CN=Certificate > > Authority,O=TELOIP.NET > > > > > > > > > > > subject: > > CN=caer.teloip.net > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From malo at avast.com Thu Jul 21 14:27:19 2016 From: malo at avast.com (malo) Date: Thu, 21 Jul 2016 16:27:19 +0200 Subject: [Freeipa-users] AD Sync issue Message-ID: <5790DBC7.6040303@avast.com> Hello everyone, I have one issue with replication from AD to IPA. Right now on my IPA master I have the current packages : ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.17 @updates My IPA realm is ipa.XX.XXX.example.com and my AD realm is XXX.example.com. My IPA setup is without CA and it uses the same one as the AD for the certificates. I've setup the replication like this : ipa-replica-manage connect -v --winsync -p PASS --binddn DN_TO_USE --bindpw VERY_STRONG_PASS --passsync PASSSYNPWD --cacert /root/certs/CA.pem --win-subtree OU=SOMETHING,DC=xxx,DC=example,DC=com ad.XXX.example.com Added CA certificate /root/certs/CA.pem to certificate database for master.ipa.XX.XXX.example.com ipa: INFO: AD Suffix is: DC=xxx,DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipa,dc=xx,dc=xxx,dc=example,dc=com Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'master.ipa.XX.XXX.example.com' to 'ad.XXX.example.com' When I list the replicas I got : ipa-replica-manage list master.ipa.XX.XXX.example.com: master ad.XXX.example.com: winsync Then I modified the agreement to be one way : dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3DXX\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows But the issue is that I receive no user from the AD. The directory server remains empty. The log of the agreement setup is attached to the mail. Here is my current configuration : ldapsearch -LLLx -b "cn=replica,cn=dc\3Dipa\2Cdc\3Dxx\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" -D "cn=directory manager" -W 'objectclass=*' dn: cn=replica,cn=dc\3Dipa\2Cdc\3Dxx\2Cdc\3Dxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=map ping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: nsds5replica objectClass: top objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=ipa,dc=xx,dc=xxx,dc=example,dc=com nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 3 nsds5replicabinddngroupcheckinterval: 60 nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ipa, dc=xx,dc=xxx,dc=example,dc=com nsDS5ReplicaBindDN: cn=replication manager,cn=config nsState:: AwAAAAAAAAByxZBXAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAA== nsDS5ReplicaName: dd9e8a43-483511e6-9d1e93d7-d4af26e1 nsds5ReplicaChangeCount: 2247 nsds5replicareapactive: 0 dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dxx\2Cdc\3Dxxx \2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds7WindowsReplicaSubtree: OU=SOMETHING,DC=xxx,DC=example,DC=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipa,dc=xx,dc=xxx,dc=example,dc=com cn: meToad.XXX.example.com nsds7NewWinGroupSyncEnabled: false objectClass: nsDSWindowsReplicationAgreement objectClass: top nsDS5ReplicaTransportInfo: TLS nsDS5ReplicaRoot: dc=ipa,dc=xx,dc=xxx,dc=example,dc=com nsDS5ReplicaHost: ad.XXX.example.com nsds5replicaTimeout: 120 nsDS5ReplicaBindDN: CN=USER_LDAP,OU=users,OU=srv,DC=xxx,DC=example,D C=com nsds7NewWinUserSyncEnabled: true nsDS5ReplicaPort: 389 nsds7WindowsDomain: ipa.XX.XXX.example.com nsDS5ReplicaBindMethod: simple nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount description: me to ad.xxx.example.com nsDS5ReplicaCredentials: {AFSSDFASD==} oneWaySync: fromWindows nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20160721125815Z nsds5replicaLastUpdateEnd: 20160721125815Z nsds5replicaChangesSentSinceStartup:: Mzo5LzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 20160721125315Z nsds5replicaLastInitEnd: 20160721125315Z nsds5replicaLastInitStatus: 0 Total update succeeded I tried to re-initialize, force-sync but nothing helps. I'm really stuck because there is nothing visible for me in the logs. Thank you for reading me, Nathan Malo -------------- next part -------------- A non-text attachment was scrubbed... Name: agmt_create.log Type: text/x-log Size: 31959 bytes Desc: not available URL: From linov.suresh at gmail.com Thu Jul 21 15:14:55 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Thu, 21 Jul 2016 11:14:55 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> Message-ID: I set debug=true in /etc/ipa/default.conf Here are my logs, *[root at caer ~]# tail -f /var/log/httpd/error_log* [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46') [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46') [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=replication administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=modify replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=remove replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=unlock user accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage host keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll a host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net')] indirect=[ipapython.dn.DN('cn=replication administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=modify replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=remove replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=unlock user accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage host keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll a host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46'): SUCCESS [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1 [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection context.ldap2 [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_13554" [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: session_id=10c5de02f8ae0f3969b96ef0f2e3a96d start_timestamp=2016-07-21T10:43:26 access_timestamp=2016-07-21T11:00:38 expiration_timestamp=2016-07-21T11:20:38 *[root at caer ~]# tail -f /var/log/pki-ca/debug* [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 9990001 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting index 4 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: getLastRequestId : returning value 112 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: mLastSerialNo: 112 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in range: 9989888 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers available: 9989888 [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done *[root at caer ~]# tail -f /var/log/pki-ca/transactions* 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: 7/20/16 5:00 PM next update time: 7/20/16 9:00 PM Number of entries in the CRL: 11 time: 25 CRL time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25) 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: 7/20/16 9:00 PM next update time: 7/21/16 1:00 AM Number of entries in the CRL: 11 time: 11 CRL time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11) 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: 7/21/16 1:00 AM next update time: 7/21/16 5:00 AM Number of entries in the CRL: 11 time: 13 CRL time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: 7/21/16 5:00 AM next update time: 7/21/16 9:00 AM Number of entries in the CRL: 11 time: 16 CRL time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16) 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: 7/21/16 9:00 AM next update time: 7/21/16 1:00 PM Number of entries in the CRL: 11 time: 13 CRL time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal reqID 112 fromAgent userID: ipara authenticated by certUserDBAuthMgr is completed DN requested: CN=CA Audit,O=TELOIP.NET cert issued serial number: 0x47 time: 39 *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is present 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SystemCertsVerification: system certs verification failure 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)*" On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh wrote: > This could be because of incorrect trust attributes trust on the > certificates, the current attributes are, > > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,Pu > subsystemCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > subsystemCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > > I'm going to fix the trust attributes and try. > > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik > wrote: > >> On 07/20/2016 09:41 PM, Linov Suresh wrote: >> > I have restarted the pki-cad and checked if communication with the CA is >> > working, but no luck, >> > >> > Debug logs in /var/log/pki-ca do not have anything unusual. Can you >> think of >> > anything other than this? >> >> /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true >> >> https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data >> >> /var/log/pki-ca/debug >> /var/log/pki-ca/transactions >> /var/log/pki-ca/selftest.log >> >> > >> > [root at caer ~]# ipa cert-show 1 >> > Certificate: >> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP >> > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 >> > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w >> > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA >> > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV >> > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e >> > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb >> > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe >> > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 >> > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j >> > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV >> > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG >> > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 >> > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj >> > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y >> > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV >> > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt >> > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK >> > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= >> > Subject: CN=Certificate Authority,O=TELOIP.NET >> > Issuer: CN=Certificate Authority,O=TELOIP.NET >> > Not Before: Wed Dec 14 22:29:56 2011 UTC >> > Not After: Sat Dec 14 22:29:56 2019 UTC >> > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a >> > Fingerprint (SHA1): >> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e >> > Serial number (hex): 0x1 >> > Serial number: 1 >> > [root at caer ~]# >> > >> > *ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > * >> > >> > >> > >> > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden > > > wrote: >> > >> > Linov Suresh wrote: >> > >> > Thanks for your help Rob, I will create a separate thread for >> IPA >> > replication issue. But we are still getting >> > * >> > * >> > *ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ".* >> > >> > Could you please help us to fix this? >> > >> > >> > I think your CA isn't quite fixed yet. I'd restart pki-cad then do >> something >> > like: ipa cert-show 1 >> > >> > You should get back a cert (doesn't really matter what cert). >> > >> > Otherwise I'd check the CA debug log somewhere in /var/log/pki >> > >> > rob >> > >> > >> > >> > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden < >> rcritten at redhat.com >> > >> > >> >> wrote: >> > >> > Glad you got the certificates successfully renewed. >> > >> > Can you open a new e-mail thread on this new problem so we >> can keep >> > the issues separated? >> > >> > IPA gets little information back when dogtag fails to >> install. You >> > need to look in /var/log//debug for more >> information. The >> > exact location depends on the version of IPA. >> > >> > rob >> > >> > Linov Suresh wrote: >> > >> > Great! That worked, and I was successfully renewed the >> > certificates on >> > the IPA server and I was trying to create a IPA >> replica server >> > and got >> > an error,[root at neit-lab > > >> > >>~]# >> > ipa-replica-install >> > --setup-ca --setup-dns --no-forwarders --skip-conncheck >> > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg >> Directory Manager >> > (existing master) password: Configuring NTP daemon >> (ntpd) [1/4]: >> > stopping ntpd [2/4]: writing configuration [3/4]: >> configuring >> > ntpd to >> > start on boot [4/4]: starting ntpd Done configuring >> NTP daemon >> > (ntpd). >> > Configuring directory server for the CA (pkids): >> Estimated time 30 >> > seconds [1/3]: creating directory server user [2/3]: >> creating >> > directory >> > server instance [3/3]: restarting directory server >> Done configuring >> > directory server for the CA (pkids). Configuring >> certificate server >> > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: >> creating >> > certificate server user [2/17]: creating pki-ca >> instance [3/17]: >> > configuring certificate server instance ipa : CRITICAL >> failed to >> > configure ca instance Command '/usr/bin/perl >> /usr/bin/pkisilent >> > ConfigureCA -cs_hostname neit-lab.teloip.net >> > >> > >> > -cs_port 9445 >> -client_certdb_dir >> > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin >> > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin >> > -admin_email >> > root at localhost > root at localhost> >> > > >>>-admin_password >> > XXXXXXXX >> > -agent_name ipa-ca-agent -agent_key_size 2048 >> -agent_key_type rsa >> > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET >> > >> > >> > -ldap_host neit-lab.teloip.net < >> http://neit-lab.teloip.net> >> > >> > -ldap_port >> > 7389 -bind_dn cn=Directory Manager -bind_password >> XXXXXXXX -base_dn >> > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa >> -key_algorithm >> > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >> -subsystem_name >> > pki-cad -token_name internal >> -ca_subsystem_cert_subject_name CN=CA >> > Subsystem,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O= >> TELOIP.NET >> > >> > >> > -ca_ocsp_cert_subject_name CN=OCSP >> > Subsystem,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > -ca_server_cert_subject_name >> > CN=neit-lab.teloip.net >> > >> > ,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> -ca_audit_signing_cert_subject_name CN=CA >> > Audit,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > -ca_sign_cert_subject_name >> > CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > -external >> > false -clone true -clone_p12_file ca.p12 >> -clone_p12_password >> > XXXXXXXX >> > -sd_hostname caer.teloip.net >> > >> > -sd_admin_port 443 >> > -sd_admin_name admin -sd_admin_password XXXXXXXX >> > -clone_start_tls true >> > -clone_uri https://caer.teloip.net:443' >> > returned non-zero exit >> status 255 >> > Your >> > system may be partly configured. Run >> /usr/sbin/ipa-server-install >> > --uninstall to clean up. Configuration of CA failed >> [root at neit-lab >> > >> > >>~]# >> > >> > I did a clean up using /usr/sbin/ipa-server-install >> --uninstall >> > but it >> > wasn't helpful.Wondering if you can help us on this, >> > >> > >> > >> > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden >> > >> > > >> > > rcritten at redhat.com> >> > >>> >> wrote: >> > >> > Linov Suresh wrote: >> > >> > I have followed Redhat official documentation, >> > https://access.redhat.com/solutions/643753 for certificate >> renewal, >> > which says *add: usercertificate. (step 12)* >> > * >> > * >> > While on the other hand FreeIPA official >> documentaion >> > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to >> > *add: >> > usercertificate;binary* >> > >> > Just wondering if we need to*add *the >> certificate? >> > or*replace* the >> > existing certificate and which format do we >> need to >> > use? *pem* >> > or *der*. >> > >> > We already successfully renewed the >> certificates about >> > months >> > back, but >> > they were expired about 6 months back and we >> were not >> > able to >> > renew till >> > now, and is affected our production >> environment. >> > >> > Pleas help us. >> > >> > >> > You shouldn't have to mess with these values at >> all. In 3.0 >> > this is >> > handled somewhat automatically. >> > >> > I'd restart the CA, then certmonger and see if the >> > communication >> > error goes away for the CA subservice >> certificates (the >> > internal error). >> > >> > # service pki-cad restart >> > >> > # service certmonger restart >> > >> > I find it very strange that the certificates were >> set to >> > expire >> > yesterday but it isn't a show-stopper necessarily >> assuming >> > you can >> > get the CA back up. >> > >> > Assuming you can, then go back in time again, >> this time >> > just a few >> > days and try renewing the LDAP and Apache server >> certs again. >> > >> > rob >> > >> > >> > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh >> > > > > > > >> > > linov.suresh at gmail.com> >> > > >>> >> > > > >> > > linov.suresh at gmail.com>> >> > >> > > linov.suresh at gmail.com>>>>> >> > wrote: >> > >> > We have cloned and created another >> virtual server >> > from the >> > template. >> > Surprisingly this server certificates >> were also >> > expired at >> > the same >> > time as the previous, just lasted for a >> day. >> > This issue has something to do with the >> kerberos >> > tickets? >> > >> > I am new to IPA and your help is highly >> appreciated. >> > >> > On Mon, Jul 18, 2016 at 12:37 PM, Linov >> Suresh >> > > > >> > > linov.suresh at gmail.com>> >> > >> > > linov.suresh at gmail.com>>> >> > > > >> > > linov.suresh at gmail.com>> >> > >> > > linov.suresh at gmail.com>>>>> >> > wrote: >> > >> > *Update: my webserver and LDAP >> certificates >> > were expired at >> > 2016-07-18 15:54:36 UTC and the >> certificates >> > are in >> > CA_UNREACHABLE state.* >> > * >> > * >> > *Could you please help us? >> > * >> > >> > [root at caer tmp]# getcert list >> > Number of certificates and requests >> being >> > tracked: 8. >> > Request ID '20111214223243': >> > status: CA_UNREACHABLE >> > ca-error: Server failed >> request, will >> > retry: -504 >> > (libcurl failed to execute the HTTP >> POST >> > transaction. Peer >> > certificate cannot be authenticated >> with known CA >> > certificates). >> > stuck: yes >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate >> > >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=caer.teloip.net >> > >> > >> > >> > ,O= >> TELOIP.NET >> > >> > >> > >> > *expires: 2016-07-18 15:54:36 UTC* >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: CA_UNREACHABLE >> > ca-error: Server failed >> request, will >> > retry: -504 >> > (libcurl failed to execute the HTTP >> POST >> > transaction. Peer >> > certificate cannot be authenticated >> with known CA >> > certificates). >> > stuck: yes >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > Certificate >> > >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=caer.teloip.net >> > >> > >> > >> > ,O= >> TELOIP.NET >> > >> > >> > >> > *expires: 2016-07-18 15:54:52 UTC* >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: CA_UNREACHABLE >> > ca-error: Server failed >> request, will >> > retry: -504 >> > (libcurl failed to execute the HTTP >> POST >> > transaction. Peer >> > certificate cannot be authenticated >> with known CA >> > certificates). >> > stuck: yes >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=caer.teloip.net >> > >> > >> > >> > ,O= >> TELOIP.NET >> > >> > >> > >> > *expires: 2016-07-18 15:55:04 UTC* >> > >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: MONITORING >> > ca-error: Internal error: >> no response to >> > >> > >> > >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate >> > DB',pin='297100916664' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate >> DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=CA Audit,O= >> TELOIP.NET >> > >> > >> > >> > expires: 2017-10-13 >> 14:10:49 UTC >> > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> > >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert >> > cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: MONITORING >> > ca-error: Internal error: >> no response to >> > >> > >> > >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate >> > DB',pin='297100916664' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate >> DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=OCSP >> > Subsystem,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > expires: 2017-10-13 >> 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> > >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert >> > cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: MONITORING >> > ca-error: Internal error: >> no response to >> > >> > >> > >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate >> > DB',pin='297100916664' >> > certificate: >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate >> DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=CA >> > Subsystem,O=TELOIP.NET >> > >> > >> > expires: 2017-10-13 >> 14:09:49 UTC >> > eku: >> id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: >> > >> /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert >> > cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: >> no response to >> > >> > >> > >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=RA >> > Subsystem,O=TELOIP.NET >> > >> > >> > expires: 2017-10-13 >> 14:09:49 UTC >> > eku: >> id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > /usr/lib64/ipa/certmonger/restart_httpd >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: MONITORING >> > ca-error: Internal error: >> no response to >> > >> > >> > >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS >> > Certificate DB',pin='297100916664' >> > certificate: >> > >> > >> > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS >> > Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate >> > Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > >> > >> > subject: CN=caer.teloip.net >> > >> > >> > >> > ,O= >> TELOIP.NET >> > >> > >> > >> > expires: 2017-10-13 >> 14:09:49 UTC >> > eku: >> id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > >> /usr/lib64/ipa/certmonger/restart_dirsrv >> > "TELOIP.NET >> > >> > " >> > track: yes >> > auto-renew: yes >> > >> > On Mon, Jul 18, 2016 at 12:00 PM, >> Linov Suresh >> > > > >> > > linov.suresh at gmail.com>> >> > >> > > linov.suresh at gmail.com>>> >> > > > >> > > linov.suresh at gmail.com>> >> > >> > > linov.suresh at gmail.com>>>>> >> > wrote: >> > >> > Yes, PKI is running and I don't >> see any >> > errors in >> > selftests, >> > I have followed >> > https://access.redhat.com/solutions/643753 >> > and restarted the PKI in step 10. >> > >> > The only change which I made was >> clean >> > up userCertificate;binary before >> adding new >> > userCertificatein LDAP, which is >> step 12. >> > >> > >> > [root at caer ~]# >> /etc/init.d/pki-cad status >> > pki-ca (pid 8634) is running... >> > [ >> > OK ] >> > Unsecure Port = >> > http://caer.teloip.net:9180/ca/ee/ca >> > Secure Agent Port = >> > https://caer.teloip.net:9443/ca/agent/ca >> > Secure EE Port = >> > https://caer.teloip.net:9444/ca/ee/ca >> > Secure Admin Port = >> > https://caer.teloip.net:9445/ca/services >> > EE Client Auth Port = >> > https://caer.teloip.net:9446/ca/eeca/ca >> > PKI Console Port = >> pkiconsole >> > https://caer.teloip.net:9445/ca >> > Tomcat Port = 9701 >> (for >> > shutdown) >> > >> > PKI Instance Name: pki-ca >> > >> > PKI Subsystem Type: Root CA >> > (Security Domain) >> > >> > Registered PKI Security >> Domain >> > Information: >> > >> > >> > >> > >> > >> ========================================================================== >> > Name: IPA >> > URL: >> https://caer.teloip.net:9445 >> > >> > >> > >> > >> > >> ========================================================================== >> > [root at caer ~]# >> > [root at caer ~]# tail -f >> > /var/log/pki-ca/selftests.log >> > 8634.main - >> [18/Jul/2016:11:46:20 EDT] >> > [20] [1] >> > SelfTestSubsystem: loading all >> self test >> > plugin logger >> > parameters >> > 8634.main - >> [18/Jul/2016:11:46:20 EDT] >> > [20] [1] >> > SelfTestSubsystem: loading all >> self test >> > plugin >> > instances >> > 8634.main - >> [18/Jul/2016:11:46:20 EDT] >> > [20] [1] >> > SelfTestSubsystem: loading all >> self test >> > plugin >> > instance >> > parameters >> > 8634.main - >> [18/Jul/2016:11:46:20 EDT] >> > [20] [1] >> > SelfTestSubsystem: loading self >> test >> > plugins in >> > on-demand order >> > 8634.main - >> [18/Jul/2016:11:46:20 EDT] >> > [20] [1] >> > SelfTestSubsystem: loading self >> test >> > plugins in >> > startup order >> > 8634.main - >> [18/Jul/2016:11:46:20 EDT] >> > [20] [1] >> > SelfTestSubsystem: Self test >> plugins have >> > been >> > successfully >> > loaded! >> > 8634.main - >> [18/Jul/2016:11:46:21 EDT] >> > [20] [1] >> > SelfTestSubsystem: Running self >> test plugins >> > specified to be >> > executed at startup: >> > 8634.main - >> [18/Jul/2016:11:46:21 EDT] >> > [20] [1] >> > CAPresence: >> > CA is present >> > 8634.main - >> [18/Jul/2016:11:46:21 EDT] >> > [20] [1] >> > SystemCertsVerification: system >> certs >> > verification >> > success >> > 8634.main - >> [18/Jul/2016:11:46:21 EDT] >> > [20] [1] >> > SelfTestSubsystem: All CRITICAL >> self test >> > plugins ran >> > SUCCESSFULLY at startup! >> > >> > Your help is highly appreciated! >> > >> > Linov Suresh >> > >> > 70 Forest Manor Rd. >> > Toronto >> > ON M2J 0A9 >> > Mobile: +1 647 406 9438 >> > >> > >> > >> > >> > Linkedin: >> ca.linkedin.com/in/linov/ >> > >> > >> > >> > < >> http://ca.linkedin.com/in/linov/> >> > Website: >> > http://mylinuxthoughts.blogspot.com >> > >> > >> > On Mon, Jul 18, 2016 at 10:50 >> AM, Petr >> > Vobornik >> > > > >> > > pvoborni at redhat.com>> >> > >> > > pvoborni at redhat.com>>> >> > > pvoborni at redhat.com> >> > > pvoborni at redhat.com>> >> > >> > > pvoborni at redhat.com>>>>> wrote: >> > >> > On 07/18/2016 05:45 AM, >> Linov Suresh >> > wrote: >> > > Thanks for the update Rob. >> I went >> > back to Jan >> > 20, 2016, restarted CA and >> > > certmonger. Look like >> certificates were >> > renewed. But I'm getting a different >> > > error now, >> > > >> > > *ca-error: Internal >> error: no >> > response to >> > > >> > >> > >> > >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> > >> > Is PKI running? When you >> change the >> > time, does >> > restart >> > of IPA help? >> > >> > > >> > > [root at caer ~]# getcert >> list >> > > Number of certificates and >> requests >> > being >> > tracked: 8. >> > > Request ID >> '20111214223243': >> > > status: MONITORING >> > > stuck: no >> > > key pair storage: >> > > >> > >> > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > > Certificate >> > >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > > certificate: >> > > >> > >> > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > > Certificate DB' >> > > CA: IPA >> > > issuer: >> CN=Certificate >> > Authority,O=TELOIP.NET >> > >> > >> > >> > >> > > subject: >> > CN=caer.teloip.net >> > >> > >> > >> >> >> -- >> Petr Vobornik >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 21 15:38:20 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2016 11:38:20 -0400 Subject: [Freeipa-users] regenerate certificate In-Reply-To: <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> Message-ID: <5790EC6C.1070006@redhat.com> mohammad sereshki wrote: > dear > thanks, but would you please check below and let me know what is your > idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob > > > > Number of certificates and requests being tracked: 8. > Request ID '20140817123525': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expCOMes: 2018-06-30 07:56:06 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140817123534': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:35:34 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > EXAMPLE.-COM > track: yes > auto-renew: yes > Request ID '20140817123602': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:36:02 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > PKI-IPA > track: yes > auto-renew: yes > Request ID '20140817123752': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:37:51 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > You have new mail in /var/spool/mail/root > > > ------------------------------------------------------------------------ > *From:* Florence Blanc-Renaud > *To:* mohammad sereshki ; Freeipa-users > > *Sent:* Thursday, July 21, 2016 11:30 AM > *Subject:* Re: [Freeipa-users] regenerate certificate > > On 07/20/2016 10:04 PM, mohammad sereshki wrote: > > hi > > I check my IPA server which is version ipa-server-3.0.0-25 , command > > "ipa-get-cert list" show, my certificate will be expired in next 20 days, > > I do not know how to regenerate them > > but command "getcert list" shows epirtion certificates are related just > > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough > > time . > > would you please help me to know how to regenerate CA:IPA certificates? > > > > Best Regards > > > > > > > > Hi Mohammad, > > the certificates issued by IPA CA are normally tracked by certmonger and > automatically renewed when they are near their expiration date. To make > sure that your certificates are tracked, you can issue > > $ ipa-getcert list > > and check the "status:" field for each certificate. It should display > "MONITORING". > > If you want to manually renew them, you must note their request ID and > use the command > $ ipa-getcert resubmit -i $REQUEST_ID > > Hope this helps, > Flo. > > > > > From pvoborni at redhat.com Thu Jul 21 15:46:24 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 21 Jul 2016 17:46:24 +0200 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> Message-ID: <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> On 07/21/2016 05:14 PM, Linov Suresh wrote: > I set debug=true in /etc/ipa/default.conf > > Here are my logs, The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. Does `ipa cert-show` communicate with the same replica? Could be verified by `ipa -vv cert-show` But more interesting is: SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! Are you sure that CA is running? # ipactl status This looks like that self test fail and therefore CA shouldn't start. It also says that some of CA cert is not valid. Which one might be seen in /var/log/pki-ca/debug but a bigger chunk would be needed. > > *[root at caer ~]# tail -f /var/log/httpd/error_log* > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__: > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin', > rights=False, all=False, raw=False, version=u'2.46') > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin', rights=False, > all=False, raw=False, version=u'2.46') > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net > memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > ipapython.dn.DN('cn=replication > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=modify replication > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=remove > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=unlock user > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage host > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll a > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result > direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net')] > indirect=[ipapython.dn.DN('cn=replication > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=modify replication > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=remove > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=unlock user > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage host > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll a > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET > : user_show(u'admin', rights=False, all=False, > raw=False, version=u'2.46'): SUCCESS > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1 > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection context.ldap2 > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from file > "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d start_timestamp=2016-07-21T10:43:26 > access_timestamp=2016-07-21T11:00:38 expiration_timestamp=2016-07-21T11:20:38 > > *[root at caer ~]# tail -f /var/log/pki-ca/debug* > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 9990001 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting index 4 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: getLastRequestId : > returning value 112 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: mLastSerialNo: 112 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in range: > 9989888 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers available: 9989888 > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done > > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] [1] CRL Update > completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: 7/20/16 5:00 PM > next update time: 7/20/16 9:00 PM Number of entries in the CRL: 11 time: 25 CRL > time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25) > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL update > started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL Enabled: false CRL > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: > 11,0,0,0 > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL Update > completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: 7/20/16 9:00 PM > next update time: 7/21/16 1:00 AM Number of entries in the CRL: 11 time: 11 CRL > time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11) > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL update > started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL Enabled: false CRL > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: > 11,0,0,0 > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL Update > completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: 7/21/16 1:00 AM > next update time: 7/21/16 5:00 AM Number of entries in the CRL: 11 time: 13 CRL > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL update > started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL Enabled: false CRL > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: > 11,0,0,0 > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL Update > completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: 7/21/16 5:00 AM > next update time: 7/21/16 9:00 AM Number of entries in the CRL: 11 time: 16 CRL > time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16) > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL update > started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL Enabled: false CRL > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: > 11,0,0,0 > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL Update > completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: 7/21/16 9:00 AM > next update time: 7/21/16 1:00 PM Number of entries in the CRL: 11 time: 13 CRL > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal reqID 112 > fromAgent userID: ipara authenticated by certUserDBAuthMgr is completed DN > requested: CN=CA Audit,O=TELOIP.NET cert issued serial > number: 0x47 time: 39 > > *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all > self test plugin logger parameters > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all > self test plugin instances > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all > self test plugin instance parameters > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading > self test plugins in on-demand order > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading > self test plugins in startup order > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self test > plugins have been successfully loaded! > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: Running self > test plugins specified to be executed at startup: > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is present > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SystemCertsVerification: system > certs verification failure > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The CRITICAL > self test plugin called selftests.container.instance.SystemCertsVerification > running at startup FAILED! > > But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: ERROR: > Certificate operation cannot be completed: Unable to communicate with CMS (Not > Found)*" > > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh > wrote: > > This could be because of incorrect trust attributes trust on the > certificates, the current attributes are, > > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,Pu > subsystemCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > subsystemCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > > I'm going to fix the trust attributes and try. > > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik > wrote: > > On 07/20/2016 09:41 PM, Linov Suresh wrote: > > I have restarted the pki-cad and checked if communication with the CA is > > working, but no luck, > > > > Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of > > anything other than this? > > /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true > https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data > > /var/log/pki-ca/debug > /var/log/pki-ca/transactions > /var/log/pki-ca/selftest.log > > > > > [root at caer ~]# ipa cert-show 1 > > Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > > Subject: CN=Certificate Authority,O=TELOIP.NET > > > Issuer: CN=Certificate Authority,O=TELOIP.NET > > > Not Before: Wed Dec 14 22:29:56 2011 UTC > > Not After: Sat Dec 14 22:29:56 2019 UTC > > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > > Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > > Serial number (hex): 0x1 > > Serial number: 1 > > [root at caer ~]# > > > > *ca-error: Internal error: no response to > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > * > > > > > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden > > >> wrote: > > > > Linov Suresh wrote: > > > > Thanks for your help Rob, I will create a separate thread for IPA > > replication issue. But we are still getting > > * > > * > > *ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".* > > > > Could you please help us to fix this? > > > > > > I think your CA isn't quite fixed yet. I'd restart pki-cad then do something > > like: ipa cert-show 1 > > > > You should get back a cert (doesn't really matter what cert). > > > > Otherwise I'd check the CA debug log somewhere in /var/log/pki > > > > rob > > -- Petr Vobornik From linov.suresh at gmail.com Thu Jul 21 16:10:05 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Thu, 21 Jul 2016 12:10:05 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> References: <578950E8.6040902@redhat.com> <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> Message-ID: The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. *I am not sure about that, please see httpd_error when `ipa cert-show 1` was run* [root at caer ~]# *tail -f /var/log/httpd/error_log* [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver_session.__call__: [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id = bc2c7ed0eccd840dc266efaf9ece913c [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in cache with id=bc2c7ed0eccd840dc266efaf9ece913c [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 expiration_timestamp=2016-07-21T12:18:54 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_13554" [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: principal=HTTP/caer.teloip.net at TELOIP.NET, authtime=07/21/16 10:31:46, starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, renew_till=12/31/69 19:00:00 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: principal=HTTP/caer.teloip.net at TELOIP.NET, authtime=07/21/16 10:31:46, starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, renew_till=12/31/69 19:00:00 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16 10:31:44) [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1469197604 expiration=1469118081.77 (2016-07-21T12:21:21) [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__: [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection context.ldap2 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1') [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1') [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify retrieve certificate [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: ipaserver.plugins.dogtag.ra.get_certificate() [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request ' https://caer.teloip.net:443/ca/agent/ca/displayBySerial' [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post 'xml=true&serialNumber=1' [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init caer.teloip.net [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False *.* *.* *.* [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for "CN= caer.teloip.net,O=TELOIP.NET" [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False *.* *.* *.* [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for "CN= caer.teloip.net,O=TELOIP.NET" [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: admin at TELOIP.NET: cert_show(u'1'): CertificateOperationError [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection context.ldap2 [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_13554" [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: session_id=bc2c7ed0eccd840dc266efaf9ece913c start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 expiration_timestamp=2016-07-21T12:21:21 Does `ipa cert-show` communicate with the same replica? Could be verified by `ipa -vv cert-show` *It's asking for the serial number of the certificate. If I give 64 (serial number of ipaCert ), I get ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)* *[root at caer ~]# ipa -vv cert-show* ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... *.* *.* *.* ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain= caer.teloip.net; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa: DEBUG: found session_cookie in persistent storage for principal ' admin at TELOIP.NET', cookie: 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly' ipa: DEBUG: setting session_cookie into context 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' ipa: INFO: trying https://caer.teloip.net/ipa/session/xml ipa: DEBUG: Created connection context.xmlclient Serial number: 64 ipa: DEBUG: raw: cert_show(u'64') ipa: DEBUG: cert_show(u'64') ipa: INFO: Forwarding 'cert_show' to server u' https://caer.teloip.net/ipa/session/xml' ipa: DEBUG: NSSConnection init caer.teloip.net ipa: DEBUG: Connecting: 10.20.0.75:0 send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: caer.teloip.net\r\nAccept-Language: en-us\r\nReferer: https://caer.teloip.net/ipa/xml\r\nCookie: ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 268\r\n\r\n' ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False *.* *.* *.* ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=caer.teloip.net,O=TELOIP.NET" ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 send: "\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" reply: 'HTTP/1.1 200 Success\r\n' header: Date: Thu, 21 Jul 2016 16:05:40 GMT header: Server: Apache/2.2.15 (CentOS) header: Set-Cookie: ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain= caer.teloip.net; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly header: Connection: close header: Content-Type: text/xml; charset=utf-8 ipa: DEBUG: received Set-Cookie 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly' ipa: DEBUG: storing cookie 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly' for principal admin at TELOIP.NET ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:admin at TELOIP.NET ipa: DEBUG: stdout=457971704 ipa: DEBUG: stderr= ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:admin at TELOIP.NET ipa: DEBUG: stdout=457971704 ipa: DEBUG: stderr= ipa: DEBUG: args=keyctl pupdate 457971704 ipa: DEBUG: stdout= ipa: DEBUG: stderr= body: "\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate operation cannot be completed: Unable to communicate with CMS (Not Found)\n\n\n\n\n" ipa: DEBUG: Caught fault 4301 from server https://caer.teloip.net/ipa/session/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root at caer ~]# But more interesting is: SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! Are you sure that CA is running? # ipactl status *Yes, CA is runnig, * *[root at caer ~]# ipactl status* Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING This looks like that self test fail and therefore CA shouldn't start. It also says that some of CA cert is not valid. Which one might be seen in /var/log/pki-ca/debug but a bigger chunk would be needed. *[root at caer ~]# tail -100 /var/log/pki-ca/debug * [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: mNumConns now 1 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In findCertRecordsInListRawJumpto with Jumpto 20160721114829Z [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, x509cert] pageSize -200 startFrom 20160721114829Z [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries returning 0 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting Virtual List size: 0 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be empty [21/Jul/2016:11:48:29][CertStatusUpdateThread]: updateCertStatus done [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting cert checkRanges [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in range: 268369849 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 71 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers available: 268369849 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert checkRanges done [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting request checkRanges [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in range: 9989888 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 112 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers available: 9989888 [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request checkRanges done [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start updateCertStatus [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting updateCertStatus (entered lock) [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In updateCertStatus() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In LdapBoundConnFactory::getConn() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getInvalidCertificatesByNotBeforeDate filter (certStatus=INVALID) [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getInvalidCertificatesByNotBeforeDate: about to call findCertRecordsInList [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In LdapBoundConnFactory::getConn() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In findCertRecordsInListRawJumpto with Jumpto 20160721115829Z [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=INVALID) attrs: [objectclass, certRecordId, x509cert] pageSize -200 startFrom 20160721115829Z [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In getInvalidCertsByNotBeforeDate finally. [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In LdapBoundConnFactory::getConn() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getValidCertsByNotAfterDate filter (certStatus=VALID) [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In LdapBoundConnFactory::getConn() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In findCertRecordsInListRawJumpto with Jumpto 20160721115829Z [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=VALID) attrs: [objectclass, certRecordId, x509cert] pageSize -200 startFrom 20160721115829Z [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 1 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 14 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transidValidCertificates: list size: 14 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transitValidCertificates: ltSize 1 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getElementAt: 0 mTop 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse direction getting index 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul 21 11:58:29 EDT 2016 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transitCertList EXPIRED [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In LdapBoundConnFactory::getConn() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED) [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In LdapBoundConnFactory::getConn() [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected true [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In findCertRecordsInListRawJumpto with Jumpto 20160721115829Z [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, x509cert] pageSize -200 startFrom 20160721115829Z [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty [21/Jul/2016:11:58:29][CertStatusUpdateThread]: updateCertStatus done [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting cert checkRanges [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in range: 268369849 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 71 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers available: 268369849 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert checkRanges done [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting request checkRanges [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in range: 9989888 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 112 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers available: 9989888 [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request checkRanges done [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik wrote: > On 07/21/2016 05:14 PM, Linov Suresh wrote: > > I set debug=true in /etc/ipa/default.conf > > > > Here are my logs, > > The httpd_error log doesn't contain the part where `ipa cert-show 1` was > run. If it is from the same time. Does `ipa cert-show` communicate with > the same replica? Could be verified by `ipa -vv cert-show` > > But more interesting is: > > SelfTestSubsystem: The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > Are you sure that CA is running? > # ipactl status > > This looks like that self test fail and therefore CA shouldn't start. It > also says that some of CA cert is not valid. Which one might be seen in > /var/log/pki-ca/debug but a bigger chunk would be needed. > > > > > *[root at caer ~]# tail -f /var/log/httpd/error_log* > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin', > > rights=False, all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin', > rights=False, > > all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: > > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net > > > memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=replication > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add > host > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result > > > direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > admins,cn=groups,cn=accounts,dc=teloip,dc=net')] > > indirect=[ipapython.dn.DN('cn=replication > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add > host > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET > > : user_show(u'admin', rights=False, all=False, > > raw=False, version=u'2.46'): SUCCESS > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries > returned 1 > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection > context.ldap2 > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from > file > > "/var/run/ipa_memcached/krbcc_13554" > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: > > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d > start_timestamp=2016-07-21T10:43:26 > > access_timestamp=2016-07-21T11:00:38 > expiration_timestamp=2016-07-21T11:20:38 > > > > *[root at caer ~]# tail -f /var/log/pki-ca/debug* > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: > 9990001 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction > getting index 4 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: > 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: > getLastRequestId : > > returning value 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: > mLastSerialNo: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in > range: > > 9989888 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers > available: 9989888 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done > > > > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* > > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] [1] CRL > Update > > completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: 7/20/16 > 5:00 PM > > next update time: 7/20/16 9:00 PM Number of entries in the CRL: 11 time: > 25 CRL > > time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25) > > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL > update > > started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL Enabled: > false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false > Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL > Update > > completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: 7/20/16 > 9:00 PM > > next update time: 7/21/16 1:00 AM Number of entries in the CRL: 11 time: > 11 CRL > > time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11) > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL > update > > started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL Enabled: > false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false > Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL > Update > > completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: 7/21/16 > 1:00 AM > > next update time: 7/21/16 5:00 AM Number of entries in the CRL: 11 time: > 13 CRL > > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL > update > > started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL Enabled: > false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false > Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL > Update > > completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: 7/21/16 > 5:00 AM > > next update time: 7/21/16 9:00 AM Number of entries in the CRL: 11 time: > 16 CRL > > time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16) > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL > update > > started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL Enabled: > false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false > Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL > Update > > completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: 7/21/16 > 9:00 AM > > next update time: 7/21/16 1:00 PM Number of entries in the CRL: 11 time: > 13 CRL > > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal reqID 112 > > fromAgent userID: ipara authenticated by certUserDBAuthMgr is completed > DN > > requested: CN=CA Audit,O=TELOIP.NET cert issued > serial > > number: 0x47 time: 39 > > > > *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: > loading all > > self test plugin logger parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: > loading all > > self test plugin instances > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: > loading all > > self test plugin instance parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: > loading > > self test plugins in on-demand order > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: > loading > > self test plugins in startup order > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self > test > > plugins have been successfully loaded! > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: > Running self > > test plugins specified to be executed at startup: > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is > present > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] > SystemCertsVerification: system > > certs verification failure > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The > CRITICAL > > self test plugin called > selftests.container.instance.SystemCertsVerification > > running at startup FAILED! > > > > But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: ERROR: > > Certificate operation cannot be completed: Unable to communicate with > CMS (Not > > Found)*" > > > > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh > > wrote: > > > > This could be because of incorrect trust attributes trust on the > > certificates, the current attributes are, > > > > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca u,u,Pu > > subsystemCert cert-pki-ca u,u,Pu > > caSigningCert cert-pki-ca > CTu,Cu,Cu > > subsystemCert cert-pki-ca u,u,Pu > > Server-Cert cert-pki-ca > u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > > > I'm going to fix the trust attributes and try. > > > > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik > > wrote: > > > > On 07/20/2016 09:41 PM, Linov Suresh wrote: > > > I have restarted the pki-cad and checked if communication with > the CA is > > > working, but no luck, > > > > > > Debug logs in /var/log/pki-ca do not have anything unusual. > Can you think of > > > anything other than this? > > > > /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true > > > https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data > > > > /var/log/pki-ca/debug > > /var/log/pki-ca/transactions > > /var/log/pki-ca/selftest.log > > > > > > > > [root at caer ~]# ipa cert-show 1 > > > Certificate: > MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > > > > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > > > > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > > > > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > > > > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > > > > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > > > > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > > > > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > > > > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > > > > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > > > > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > > > > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > > > > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > > > > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > > > > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > > > > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > > > > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > > > > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > > > > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > > > Subject: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > Issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > > > > Not Before: Wed Dec 14 22:29:56 2011 UTC > > > Not After: Sat Dec 14 22:29:56 2019 UTC > > > Fingerprint (MD5): > c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > > > Fingerprint (SHA1): > ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > > > Serial number (hex): 0x1 > > > Serial number: 1 > > > [root at caer ~]# > > > > > > *ca-error: Internal error: no response to > > > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > > * > > > > > > > > > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden < > rcritten at redhat.com > > > >> > wrote: > > > > > > Linov Suresh wrote: > > > > > > Thanks for your help Rob, I will create a separate > thread for IPA > > > replication issue. But we are still getting > > > * > > > * > > > *ca-error: Internal error: no response to > > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ".* > > > > > > Could you please help us to fix this? > > > > > > > > > I think your CA isn't quite fixed yet. I'd restart pki-cad > then do something > > > like: ipa cert-show 1 > > > > > > You should get back a cert (doesn't really matter what > cert). > > > > > > Otherwise I'd check the CA debug log somewhere in > /var/log/pki > > > > > > rob > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 21 16:23:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2016 12:23:44 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> Message-ID: <5790F710.8040900@redhat.com> Linov Suresh wrote: > The httpd_error log doesn't contain the part where `ipa cert-show 1` was > run. If it is from the same time. > > *I am not sure about that, please see httpd_error when `ipa cert-show 1` > was run* The IPA API log isn't going to show much in this case. Requests to the CA are proxied through IPA. The CA WAR is not running on tomcat so when Apache tries to proxy the request tomcat returns a 404, Not Found. You need to start with the dogtag debug and selftest logs to see what is going on. The logs are pretty verbose and can be challenging to read. rob > > [root at caer ~]# *tail -f /var/log/httpd/error_log* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > xmlserver_session.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id = > bc2c7ed0eccd840dc266efaf9ece913c > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in > cache with id=bc2c7ed0eccd840dc266efaf9ece913c > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c > start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 > expiration_timestamp=2016-07-21T12:18:54 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into > file "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: > principal=HTTP/caer.teloip.net at TELOIP.NET > , authtime=07/21/16 10:31:46, > starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, > renew_till=12/31/69 19:00:00 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: > principal=HTTP/caer.teloip.net at TELOIP.NET > , authtime=07/21/16 10:31:46, > starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, > renew_till=12/31/69 19:00:00 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache > FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16 > 10:31:44) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > set_session_expiration_time: duration_type=inactivity_timeout > duration=1200 max_age=1469197604 expiration=1469118081.77 > (2016-07-21T12:21:21) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection > context.ldap2 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1') > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1') > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify > retrieve certificate > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > ipaserver.plugins.dogtag.ra.get_certificate() > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request > 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post > 'xml=true&serialNumber=1' > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init > caer.teloip.net > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0 > > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > auth_certificate_callback: check_sig=True is_server=False > *.* > *.* > *.* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = > SSLServer intended_usage = SSLServer > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for > "CN=caer.teloip.net ,O=TELOIP.NET > " > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer > = 10.20.0.75:443 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > auth_certificate_callback: check_sig=True is_server=False > *.* > *.* > *.* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = > SSLServer intended_usage = SSLServer > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for > "CN=caer.teloip.net ,O=TELOIP.NET > " > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer > = 10.20.0.75:443 > [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate > with CMS (Not Found) > [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: admin at TELOIP.NET > : cert_show(u'1'): CertificateOperationError > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: > CertificateOperationError: Certificate operation cannot be completed: > Unable to communicate with CMS (Not Found) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection > context.ldap2 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from > file "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: > session_id=bc2c7ed0eccd840dc266efaf9ece913c > start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 > expiration_timestamp=2016-07-21T12:21:21 > > > Does `ipa cert-show` communicate with the same replica? Could be > verified by `ipa -vv cert-show` > > *It's asking for the serial number of the certificate. If I give 64 > (serial number of ipaCert ), I get ipa: ERROR: Certificate operation > cannot be completed: Unable to communicate with CMS (Not Found)* > > *[root at caer ~]# ipa -vv cert-show* > ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > *.* > *.* > *.* > ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net ; Path=/ipa; Expires=Thu, > 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent storage for principal > 'admin at TELOIP.NET ', cookie: > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32 > GMT; Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' > ipa: INFO: trying https://caer.teloip.net/ipa/session/xml > ipa: DEBUG: Created connection context.xmlclient > Serial number: 64 > ipa: DEBUG: raw: cert_show(u'64') > ipa: DEBUG: cert_show(u'64') > ipa: INFO: Forwarding 'cert_show' to server > u'https://caer.teloip.net/ipa/session/xml' > ipa: DEBUG: NSSConnection init caer.teloip.net > ipa: DEBUG: Connecting: 10.20.0.75:0 > send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: caer.teloip.net > \r\nAccept-Language: en-us\r\nReferer: > https://caer.teloip.net/ipa/xml\r\nCookie: > ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: > xmlrpclib.py/1.0.1 (by www.pythonware.com > )\r\nContent-Type: > text/xml\r\nContent-Length: 268\r\n\r\n' > ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False > *.* > *.* > *.* > ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > ipa: DEBUG: cert valid True for "CN=caer.teloip.net > ,O=TELOIP.NET " > ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 > > send: " encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" > reply: 'HTTP/1.1 200 Success\r\n' > header: Date: Thu, 21 Jul 2016 16:05:40 GMT > header: Server: Apache/2.2.15 (CentOS) > header: Set-Cookie: ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net ; Path=/ipa; Expires=Thu, > 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly > header: Connection: close > header: Content-Type: text/xml; charset=utf-8 > ipa: DEBUG: received Set-Cookie > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 > GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 > GMT; Secure; HttpOnly' for principal admin at TELOIP.NET > > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:admin at TELOIP.NET > > ipa: DEBUG: stdout=457971704 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:admin at TELOIP.NET > > ipa: DEBUG: stdout=457971704 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl pupdate 457971704 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > body: " encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate > operation cannot be completed: Unable to communicate with CMS (Not > Found)\n\n\n\n\n" > ipa: DEBUG: Caught fault 4301 from server > https://caer.teloip.net/ipa/session/xml: Certificate operation cannot be > completed: Unable to communicate with CMS (Not Found) > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > [root at caer ~]# > > > But more interesting is: SelfTestSubsystem: The CRITICAL self test > plugin called selftests.container.instance.SystemCertsVerification > running at startup FAILED! > > Are you sure that CA is running? > # ipactl status > *Yes, CA is runnig, * > > *[root at caer ~]# ipactl status* > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > This looks like that self test fail and therefore CA shouldn't start. It > also says that some of CA cert is not valid. Which one might be seen in > /var/log/pki-ca/debug but a bigger chunk would be needed. > > *[root at caer ~]# tail -100 /var/log/pki-ca/debug * > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: mNumConns now 1 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721114829Z > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In DBVirtualList filter > attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: > [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, > x509cert] pageSize -200 startFrom 20160721114829Z > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries returning 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting Virtual List size: 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be empty > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: updateCertStatus done > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting cert checkRanges > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in > range: 268369849 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 71 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers > available: 268369849 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert checkRanges done > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting request checkRanges > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in > range: 9989888 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 112 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers > available: 9989888 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request checkRanges done > [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start > updateCertStatus > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting > updateCertStatus (entered lock) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In updateCertStatus() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getInvalidCertificatesByNotBeforeDate filter (certStatus=INVALID) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getInvalidCertificatesByNotBeforeDate: about to call findCertRecordsInList > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter > attrs startFrom sortKey pageSize filter: (certStatus=INVALID) attrs: > [objectclass, certRecordId, x509cert] pageSize -200 startFrom > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > getInvalidCertsByNotBeforeDate finally. > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getValidCertsByNotAfterDate filter (certStatus=VALID) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter > attrs startFrom sortKey pageSize filter: (certStatus=VALID) attrs: > [objectclass, certRecordId, x509cert] pageSize -200 startFrom > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List > size: 14 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transidValidCertificates: list size: 14 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transitValidCertificates: ltSize 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getElementAt: 0 mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse direction > getting index 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not > qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul 21 11:58:29 > EDT 2016 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transitCertList EXPIRED > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter > attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: > [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, > x509cert] pageSize -200 startFrom 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: updateCertStatus done > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting cert checkRanges > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in > range: 268369849 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 71 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers > available: 268369849 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert checkRanges done > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting request checkRanges > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in > range: 9989888 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 112 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers > available: 9989888 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request checkRanges done > [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > > On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik > wrote: > > On 07/21/2016 05:14 PM, Linov Suresh wrote: > > I set debug=true in /etc/ipa/default.conf > > > > Here are my logs, > > The httpd_error log doesn't contain the part where `ipa cert-show 1` was > run. If it is from the same time. Does `ipa cert-show` communicate with > the same replica? Could be verified by `ipa -vv cert-show` > > But more interesting is: > > SelfTestSubsystem: The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > > Are you sure that CA is running? > # ipactl status > > This looks like that self test fail and therefore CA shouldn't start. It > also says that some of CA cert is not valid. Which one might be seen in > /var/log/pki-ca/debug but a bigger chunk would be needed. > > > > > *[root at caer ~]# tail -f /var/log/httpd/error_log* > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: > user_show(u'admin', > > rights=False, all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > user_show(u'admin', rights=False, > > all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: > > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net > > > memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=replication > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add host > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result > > > direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > admins,cn=groups,cn=accounts,dc=teloip,dc=net')] > > indirect=[ipapython.dn.DN('cn=replication > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add host > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET > > > >: > user_show(u'admin', rights=False, all=False, > > raw=False, version=u'2.46'): SUCCESS > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1 > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection context.ldap2 > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from file > > "/var/run/ipa_memcached/krbcc_13554" > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: > > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d start_timestamp=2016-07-21T10:43:26 > > access_timestamp=2016-07-21T11:00:38 expiration_timestamp=2016-07-21T11:20:38 > > > > *[root at caer ~]# tail -f /var/log/pki-ca/debug* > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 9990001 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting index 4 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: getLastRequestId : > > returning value 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: mLastSerialNo: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in range: > > 9989888 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers available: 9989888 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done > > > > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* > > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: > 7/20/16 5:00 PM > > next update time: 7/20/16 9:00 PM Number of entries in the CRL: > 11 time: 25 CRL > > time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25) > > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: > 7/20/16 9:00 PM > > next update time: 7/21/16 1:00 AM Number of entries in the CRL: > 11 time: 11 CRL > > time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11) > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: > 7/21/16 1:00 AM > > next update time: 7/21/16 5:00 AM Number of entries in the CRL: > 11 time: 13 CRL > > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: > 7/21/16 5:00 AM > > next update time: 7/21/16 9:00 AM Number of entries in the CRL: > 11 time: 16 CRL > > time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16) > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: > 7/21/16 9:00 AM > > next update time: 7/21/16 1:00 PM Number of entries in the CRL: > 11 time: 13 CRL > > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal > reqID 112 > > fromAgent userID: ipara authenticated by certUserDBAuthMgr is > completed DN > > requested: CN=CA Audit,O=TELOIP.NET > cert issued serial > > number: 0x47 time: 39 > > > > *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all > > self test plugin logger parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all > > self test plugin instances > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all > > self test plugin instance parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading > > self test plugins in on-demand order > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading > > self test plugins in startup order > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self test > > plugins have been successfully loaded! > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: Running self > > test plugins specified to be executed at startup: > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is present > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SystemCertsVerification: system > > certs verification failure > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The CRITICAL > > self test plugin called selftests.container.instance.SystemCertsVerification > > running at startup FAILED! > > > > But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: > ERROR: > > Certificate operation cannot be completed: Unable to communicate with CMS (Not > > Found)*" > > > > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh > > >> wrote: > > > > This could be because of incorrect trust attributes trust on the > > certificates, the current attributes are, > > > > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias > > > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca u,u,Pu > > subsystemCert cert-pki-ca u,u,Pu > > caSigningCert cert-pki-ca CTu,Cu,Cu > > subsystemCert cert-pki-ca u,u,Pu > > Server-Cert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > > > I'm going to fix the trust attributes and try. > > > > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik > > >> wrote: > > > > On 07/20/2016 09:41 PM, Linov Suresh wrote: > > > I have restarted the pki-cad and checked if > communication with the CA is > > > working, but no luck, > > > > > > Debug logs in /var/log/pki-ca do not have anything > unusual. Can you think of > > > anything other than this? > > > > /var/log/httpd/error_log when /etc/ipa.conf is set to > debug=true > > > https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data > > > > /var/log/pki-ca/debug > > /var/log/pki-ca/transactions > > /var/log/pki-ca/selftest.log > > > > > > > > [root at caer ~]# ipa cert-show 1 > > > Certificate: > MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > > > > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > > > > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > > > > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > > > > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > > > > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > > > > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > > > > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > > > > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > > > > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > > > > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > > > > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > > > > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > > > > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > > > > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > > > > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > > > > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > > > > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > > > > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > > > Subject: CN=Certificate Authority,O=TELOIP.NET > > > > > > Issuer: CN=Certificate Authority,O=TELOIP.NET > > > > > > Not Before: Wed Dec 14 22:29:56 2011 UTC > > > Not After: Sat Dec 14 22:29:56 2019 UTC > > > Fingerprint (MD5): > c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > > > Fingerprint (SHA1): > ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > > > Serial number (hex): 0x1 > > > Serial number: 1 > > > [root at caer ~]# > > > > > > *ca-error: Internal error: no response to > > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > > * > > > > > > > > > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden > > > > > > > >>> wrote: > > > > > > Linov Suresh wrote: > > > > > > Thanks for your help Rob, I will create a > separate thread for IPA > > > replication issue. But we are still getting > > > * > > > * > > > *ca-error: Internal error: no response to > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".* > > > > > > Could you please help us to fix this? > > > > > > > > > I think your CA isn't quite fixed yet. I'd restart > pki-cad then do something > > > like: ipa cert-show 1 > > > > > > You should get back a cert (doesn't really matter > what cert). > > > > > > Otherwise I'd check the CA debug log somewhere in > /var/log/pki > > > > > > rob > > > > > > -- > Petr Vobornik > > From mohammadsereshki at yahoo.com Thu Jul 21 18:31:30 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 18:31:30 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate In-Reply-To: <5790EC6C.1070006@redhat.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> Message-ID: <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> hiit is result of command, seems issue is another thing ?ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 8:08 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > dear > thanks, but would you please check below and let me know what is your > idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob > > > > Number of certificates and requests being tracked: 8. > Request ID '20140817123525': >? ? ? ? ? status: MONITORING >? ? ? ? ? ca-error: Unable to determine principal name for signing request. >? ? ? ? ? stuck: no >? ? ? ? ? key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? ? ? ? ? certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' >? ? ? ? ? CA: IPA >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? ? ? ? ? pre-save command: >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? ? ? ? ? track: yes >? ? ? ? ? auto-renew: yes > Request ID '20140817123534': >? ? ? ? ? status: CA_UNREACHABLE >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed > at server.? Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). >? ? ? ? ? stuck: yes >? ? ? ? ? key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? ? ? ? ? certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB' >? ? ? ? ? CA: IPA >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? ? ? ? ? pre-save command: >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > EXAMPLE.-COM >? ? ? ? ? track: yes >? ? ? ? ? auto-renew: yes > Request ID '20140817123602': >? ? ? ? ? status: CA_UNREACHABLE >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed > at server.? Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). >? ? ? ? ? stuck: yes >? ? ? ? ? key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? ? ? ? ? certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' >? ? ? ? ? CA: IPA >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? ? ? ? ? pre-save command: >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > PKI-IPA >? ? ? ? ? track: yes >? ? ? ? ? auto-renew: yes > Request ID '20140817123752': >? ? ? ? ? status: CA_UNREACHABLE >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed > at server.? Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). >? ? ? ? ? stuck: yes >? ? ? ? ? key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? ? ? ? ? certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' >? ? ? ? ? CA: IPA >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? ? ? ? ? pre-save command: >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? ? ? ? ? track: yes >? ? ? ? ? auto-renew: yes > You have new mail in /var/spool/mail/root > > > ------------------------------------------------------------------------ > *From:* Florence Blanc-Renaud > *To:* mohammad sereshki ; Freeipa-users > > *Sent:* Thursday, July 21, 2016 11:30 AM > *Subject:* Re: [Freeipa-users] regenerate certificate > > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? > hi >? > I check my IPA server which is version ipa-server-3.0.0-25 , command >? > "ipa-get-cert list" show, my certificate will be expired in next 20 days, >? > I do not know how to regenerate them >? > but command "getcert list" shows epirtion certificates are related just >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has enough >? > time . >? > would you please help me to know how to regenerate CA:IPA certificates? >? > >? > Best Regards >? > >? > >? > > > Hi Mohammad, > > the certificates issued by IPA CA are normally tracked by certmonger and > automatically renewed when they are near their expiration date. To make > sure that your certificates are tracked, you can issue > > $ ipa-getcert list > > and check the "status:" field for each certificate. It should display > "MONITORING". > > If you want to manually renew them, you must note their request ID and > use the command > $ ipa-getcert resubmit -i $REQUEST_ID > > Hope this helps, > Flo. > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 21 18:39:45 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2016 14:39:45 -0400 Subject: [Freeipa-users] regenerate certificate In-Reply-To: <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> Message-ID: <579116F1.1000908@redhat.com> mohammad sereshki wrote: > hi > it is result of command, seems issue is another thing > > > ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start. rob > > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 8:08 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > dear > > thanks, but would you please check below and let me know what is your > > idea?I checked your command but it did not work. > > The Not Found suggests that the CA is not up. I'd try restarting the > pki-cad process to see if that helps. > > A simple test that communication is working is: ipa cert-show 1 > > The output isn't important as long as it isn't an error. > > rob > > > > > > > > > > Number of certificates and requests being tracked: 8. > > Request ID '20140817123525': > > status: MONITORING > > ca-error: Unable to determine principal name for signing > request. > > stuck: no > > key paCOM storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expCOMes: 2018-06-30 07:56:06 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20140817123534': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:35:34 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > EXAMPLE.-COM > > track: yes > > auto-renew: yes > > Request ID '20140817123602': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:36:02 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > PKI-IPA > > track: yes > > auto-renew: yes > > Request ID '20140817123752': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:37:51 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > You have new mail in /var/spool/mail/root > > > > > > ------------------------------------------------------------------------ > > *From:* Florence Blanc-Renaud > > > *To:* mohammad sereshki >; Freeipa-users > > > > > *Sent:* Thursday, July 21, 2016 11:30 AM > > *Subject:* Re: [Freeipa-users] regenerate certificate > > > > On 07/20/2016 10:04 PM, mohammad sereshki wrote: > > > hi > > > I check my IPA server which is version ipa-server-3.0.0-25 , command > > > "ipa-get-cert list" show, my certificate will be expired in next > 20 days, > > > I do not know how to regenerate them > > > but command "getcert list" shows epirtion certificates are related > just > > > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has > enough > > > time . > > > would you please help me to know how to regenerate CA:IPA > certificates? > > > > > > Best Regards > > > > > > > > > > > > > Hi Mohammad, > > > > the certificates issued by IPA CA are normally tracked by certmonger and > > automatically renewed when they are near their expiration date. To make > > sure that your certificates are tracked, you can issue > > > > $ ipa-getcert list > > > > and check the "status:" field for each certificate. It should display > > "MONITORING". > > > > If you want to manually renew them, you must note their request ID and > > use the command > > $ ipa-getcert resubmit -i $REQUEST_ID > > > > Hope this helps, > > Flo. > > > > > > > > > > > > > From mohammadsereshki at yahoo.com Thu Jul 21 18:42:12 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 18:42:12 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate In-Reply-To: <579116F1.1000908@redhat.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> <579116F1.1000908@redhat.com> Message-ID: <560622393.3258002.1469126532769.JavaMail.yahoo@mail.yahoo.com> hiwould you please explain more? From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:09 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > it is result of command, seems issue is another thing > > >? ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start. rob > > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 8:08 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > dear >? > thanks, but would you please check below and let me know what is your >? > idea?I checked your command but it did not work. > > The Not Found suggests that the CA is not up. I'd try restarting the > pki-cad process to see if that helps. > > A simple test that communication is working is: ipa cert-show 1 > > The output isn't important as long as it isn't an error. > > rob > > >? > >? > >? > >? > Number of certificates and requests being tracked: 8. >? > Request ID '20140817123525': >? >? ? ? ? ? status: MONITORING >? >? ? ? ? ? ca-error: Unable to determine principal name for signing > request. >? >? ? ? ? ? stuck: no >? >? ? ? ? ? key paCOM storage: >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? ? ? ? ? certificate: >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? > Certificate DB' >? >? ? ? ? ? CA: IPA >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? ? ? ? ? pre-save command: >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? ? ? ? ? track: yes >? >? ? ? ? ? auto-renew: yes >? > Request ID '20140817123534': >? >? ? ? ? ? status: CA_UNREACHABLE >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? > at server.? Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found)). >? >? ? ? ? ? stuck: yes >? >? ? ? ? ? key paCOM storage: >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? ? ? ? ? certificate: >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? > Certificate DB' >? >? ? ? ? ? CA: IPA >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? ? ? ? ? pre-save command: >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? > EXAMPLE.-COM >? >? ? ? ? ? track: yes >? >? ? ? ? ? auto-renew: yes >? > Request ID '20140817123602': >? >? ? ? ? ? status: CA_UNREACHABLE >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? > at server.? Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found)). >? >? ? ? ? ? stuck: yes >? >? ? ? ? ? key paCOM storage: >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? ? ? ? ? certificate: >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? > Certificate DB' >? >? ? ? ? ? CA: IPA >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? ? ? ? ? pre-save command: >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? > PKI-IPA >? >? ? ? ? ? track: yes >? >? ? ? ? ? auto-renew: yes >? > Request ID '20140817123752': >? >? ? ? ? ? status: CA_UNREACHABLE >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? > at server.? Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found)). >? >? ? ? ? ? stuck: yes >? >? ? ? ? ? key paCOM storage: >? > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? ? ? ? ? certificate: >? > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? > Certificate DB' >? >? ? ? ? ? CA: IPA >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? ? ? ? ? pre-save command: >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? ? ? ? ? track: yes >? >? ? ? ? ? auto-renew: yes >? > You have new mail in /var/spool/mail/root >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Florence Blanc-Renaud > >? > *To:* mohammad sereshki >; Freeipa-users >? > > >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? > hi >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , command >? >? > "ipa-get-cert list" show, my certificate will be expired in next > 20 days, >? >? > I do not know how to regenerate them >? >? > but command "getcert list" shows epirtion certificates are related > just >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has > enough >? >? > time . >? >? > would you please help me to know how to regenerate CA:IPA > certificates? >? >? > >? >? > Best Regards >? >? > >? >? > >? >? > >? > >? > Hi Mohammad, >? > >? > the certificates issued by IPA CA are normally tracked by certmonger and >? > automatically renewed when they are near their expiration date. To make >? > sure that your certificates are tracked, you can issue >? > >? > $ ipa-getcert list >? > >? > and check the "status:" field for each certificate. It should display >? > "MONITORING". >? > >? > If you want to manually renew them, you must note their request ID and >? > use the command >? > $ ipa-getcert resubmit -i $REQUEST_ID >? > >? > Hope this helps, >? > Flo. >? > >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 21 18:51:13 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2016 14:51:13 -0400 Subject: [Freeipa-users] regenerate certificate In-Reply-To: <560622393.3258002.1469126532769.JavaMail.yahoo@mail.yahoo.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> <579116F1.1000908@redhat.com> <560622393.3258002.1469126532769.JavaMail.yahoo@mail.yahoo.com> Message-ID: <579119A1.7030500@redhat.com> mohammad sereshki wrote: > hi > would you please explain more > ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 11:09 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > hi > > it is result of command, seems issue is another thing > > > > > > ipa cert-show 1 > > ipa: ERROR: Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found) > > Which means that the CA still isn't up. You're going to need to look at > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > rob > > > > > > > > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden > > > *To:* mohammad sereshki >; Florence > > Blanc-Renaud >; Freeipa-users > > > > *Sent:* Thursday, July 21, 2016 8:08 PM > > *Subject:* Re: [Freeipa-users] regenerate certificate > > > > mohammad sereshki wrote: > > > dear > > > thanks, but would you please check below and let me know what is your > > > idea?I checked your command but it did not work. > > > > The Not Found suggests that the CA is not up. I'd try restarting the > > pki-cad process to see if that helps. > > > > A simple test that communication is working is: ipa cert-show 1 > > > > The output isn't important as long as it isn't an error. > > > > rob > > > > > > > > > > > > > > > > Number of certificates and requests being tracked: 8. > > > Request ID '20140817123525': > > > status: MONITORING > > > ca-error: Unable to determine principal name for signing > > request. > > > stuck: no > > > key paCOM storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=IPA RA,O=EXAMPLE.COM > > > expCOMes: 2018-06-30 07:56:06 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20140817123534': > > > status: CA_UNREACHABLE > > > ca-error: Server failed request, will retry: 4301 (RPC failed > > > at server. Certificate operation cannot be completed: Unable to > > > communicate with CMS (Not Found)). > > > stuck: yes > > > key paCOM storage: > > > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > > expCOMes: 2016-08-17 12:35:34 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > > EXAMPLE.-COM > > > track: yes > > > auto-renew: yes > > > Request ID '20140817123602': > > > status: CA_UNREACHABLE > > > ca-error: Server failed request, will retry: 4301 (RPC failed > > > at server. Certificate operation cannot be completed: Unable to > > > communicate with CMS (Not Found)). > > > stuck: yes > > > key paCOM storage: > > > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > > expCOMes: 2016-08-17 12:36:02 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > > PKI-IPA > > > track: yes > > > auto-renew: yes > > > Request ID '20140817123752': > > > status: CA_UNREACHABLE > > > ca-error: Server failed request, will retry: 4301 (RPC failed > > > at server. Certificate operation cannot be completed: Unable to > > > communicate with CMS (Not Found)). > > > stuck: yes > > > key paCOM storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > > expCOMes: 2016-08-17 12:37:51 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > > track: yes > > > auto-renew: yes > > > You have new mail in /var/spool/mail/root > > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* Florence Blanc-Renaud >> > > > *To:* mohammad sereshki > > >>; Freeipa-users > > > > >> > > > > *Sent:* Thursday, July 21, 2016 11:30 AM > > > *Subject:* Re: [Freeipa-users] regenerate certificate > > > > > > On 07/20/2016 10:04 PM, mohammad sereshki wrote: > > > > hi > > > > I check my IPA server which is version ipa-server-3.0.0-25 , > command > > > > "ipa-get-cert list" show, my certificate will be expired in next > > 20 days, > > > > I do not know how to regenerate them > > > > but command "getcert list" shows epirtion certificates are related > > just > > > > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has > > enough > > > > time . > > > > would you please help me to know how to regenerate CA:IPA > > certificates? > > > > > > > > Best Regards > > > > > > > > > > > > > > > > > > Hi Mohammad, > > > > > > the certificates issued by IPA CA are normally tracked by > certmonger and > > > automatically renewed when they are near their expiration date. To > make > > > sure that your certificates are tracked, you can issue > > > > > > $ ipa-getcert list > > > > > > and check the "status:" field for each certificate. It should display > > > "MONITORING". > > > > > > If you want to manually renew them, you must note their request ID and > > > use the command > > > $ ipa-getcert resubmit -i $REQUEST_ID > > > > > > Hope this helps, > > > Flo. > > > > > > > > > > > > > > > > > > > > > > > > From mohammadsereshki at yahoo.com Thu Jul 21 19:04:42 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 19:04:42 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate In-Reply-To: <579119A1.7030500@redhat.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> <579116F1.1000908@redhat.com> <560622393.3258002.1469126532769.JavaMail.yahoo@mail.yahoo.com> <579119A1.7030500@redhat.com> Message-ID: <112650488.3317166.1469127882492.JavaMail.yahoo@mail.yahoo.com> hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD AP based, not XML {1}, use default authz mgr: {2}. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock) From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:21 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > would you please explain more > ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 11:09 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > hi >? > it is result of command, seems issue is another thing >? > >? > >? >? ipa cert-show 1 >? > ipa: ERROR: Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found) > > Which means that the CA still isn't up. You're going to need to look at > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > rob > >? > >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Rob Crittenden > >? > *To:* mohammad sereshki >; Florence >? > Blanc-Renaud >; Freeipa-users > > >? > *Sent:* Thursday, July 21, 2016 8:08 PM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > mohammad sereshki wrote: >? >? > dear >? >? > thanks, but would you please check below and let me know what is your >? >? > idea?I checked your command but it did not work. >? > >? > The Not Found suggests that the CA is not up. I'd try restarting the >? > pki-cad process to see if that helps. >? > >? > A simple test that communication is working is: ipa cert-show 1 >? > >? > The output isn't important as long as it isn't an error. >? > >? > rob >? > >? > >? >? > >? >? > >? >? > >? >? > Number of certificates and requests being tracked: 8. >? >? > Request ID '20140817123525': >? >? >? ? ? ? ? status: MONITORING >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing >? > request. >? >? >? ? ? ? ? stuck: no >? >? >? ? ? ? ? key paCOM storage: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123534': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > EXAMPLE.-COM >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123602': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > PKI-IPA >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123752': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > You have new mail in /var/spool/mail/root >? >? > >? >? > >? >? > > ------------------------------------------------------------------------ >? >? > *From:* Florence Blanc-Renaud >> >? >? > *To:* mohammad sereshki >? > >>; Freeipa-users >? >? > > >> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? > hi >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > command >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next >? > 20 days, >? >? >? > I do not know how to regenerate them >? >? >? > but command "getcert list" shows epirtion certificates are related >? > just >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has >? > enough >? >? >? > time . >? >? >? > would you please help me to know how to regenerate CA:IPA >? > certificates? >? >? >? > >? >? >? > Best Regards >? >? >? > >? >? >? > >? >? >? > >? >? > >? >? > Hi Mohammad, >? >? > >? >? > the certificates issued by IPA CA are normally tracked by > certmonger and >? >? > automatically renewed when they are near their expiration date. To > make >? >? > sure that your certificates are tracked, you can issue >? >? > >? >? > $ ipa-getcert list >? >? > >? >? > and check the "status:" field for each certificate. It should display >? >? > "MONITORING". >? >? > >? >? > If you want to manually renew them, you must note their request ID and >? >? > use the command >? >? > $ ipa-getcert resubmit -i $REQUEST_ID >? >? > >? >? > Hope this helps, >? >? > Flo. >? >? > >? >? > >? >? > >? >? > >? >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Thu Jul 21 19:06:20 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 19:06:20 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate In-Reply-To: <112650488.3317166.1469127882492.JavaMail.yahoo@mail.yahoo.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> <579116F1.1000908@redhat.com> <560622393.3258002.1469126532769.JavaMail.yahoo@mail.yahoo.com> <579119A1.7030500@redhat.com> <112650488.3317166.1469127882492.JavaMail.yahoo@mail.yahoo.com> Message-ID: <885440916.3280420.1469127980535.JavaMail.yahoo@mail.yahoo.com> and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin logger parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instances 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instance parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in on-demand order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in startup order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! (END) From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:34 PM Subject: Re: [Freeipa-users] regenerate certificate hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD AP based, not XML {1}, use default authz mgr: {2}. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock) From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:21 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > would you please explain more > ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 11:09 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > hi >? > it is result of command, seems issue is another thing >? > >? > >? >? ipa cert-show 1 >? > ipa: ERROR: Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found) > > Which means that the CA still isn't up. You're going to need to look at > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > rob > >? > >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Rob Crittenden > >? > *To:* mohammad sereshki >; Florence >? > Blanc-Renaud >; Freeipa-users > > >? > *Sent:* Thursday, July 21, 2016 8:08 PM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > mohammad sereshki wrote: >? >? > dear >? >? > thanks, but would you please check below and let me know what is your >? >? > idea?I checked your command but it did not work. >? > >? > The Not Found suggests that the CA is not up. I'd try restarting the >? > pki-cad process to see if that helps. >? > >? > A simple test that communication is working is: ipa cert-show 1 >? > >? > The output isn't important as long as it isn't an error. >? > >? > rob >? > >? > >? >? > >? >? > >? >? > >? >? > Number of certificates and requests being tracked: 8. >? >? > Request ID '20140817123525': >? >? >? ? ? ? ? status: MONITORING >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing >? > request. >? >? >? ? ? ? ? stuck: no >? >? >? ? ? ? ? key paCOM storage: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123534': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > EXAMPLE.-COM >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123602': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > PKI-IPA >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123752': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > You have new mail in /var/spool/mail/root >? >? > >? >? > >? >? > > ------------------------------------------------------------------------ >? >? > *From:* Florence Blanc-Renaud >> >? >? > *To:* mohammad sereshki >? > >>; Freeipa-users >? >? > > >> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? > hi >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > command >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next >? > 20 days, >? >? >? > I do not know how to regenerate them >? >? >? > but command "getcert list" shows epirtion certificates are related >? > just >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has >? > enough >? >? >? > time . >? >? >? > would you please help me to know how to regenerate CA:IPA >? > certificates? >? >? >? > >? >? >? > Best Regards >? >? >? > >? >? >? > >? >? >? > >? >? > >? >? > Hi Mohammad, >? >? > >? >? > the certificates issued by IPA CA are normally tracked by > certmonger and >? >? > automatically renewed when they are near their expiration date. To > make >? >? > sure that your certificates are tracked, you can issue >? >? > >? >? > $ ipa-getcert list >? >? > >? >? > and check the "status:" field for each certificate. It should display >? >? > "MONITORING". >? >? > >? >? > If you want to manually renew them, you must note their request ID and >? >? > use the command >? >? > $ ipa-getcert resubmit -i $REQUEST_ID >? >? > >? >? > Hope this helps, >? >? > Flo. >? >? > >? >? > >? >? > >? >? > >? >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Thu Jul 21 19:08:16 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC) Subject: [Freeipa-users] regenerate certificate In-Reply-To: <885440916.3280420.1469127980535.JavaMail.yahoo@mail.yahoo.com> References: <2070388491.2672152.1469045056891.JavaMail.yahoo.ref@mail.yahoo.com> <2070388491.2672152.1469045056891.JavaMail.yahoo@mail.yahoo.com> <1169715177.3156409.1469087959138.JavaMail.yahoo@mail.yahoo.com> <5790EC6C.1070006@redhat.com> <132250205.3247901.1469125890589.JavaMail.yahoo@mail.yahoo.com> <579116F1.1000908@redhat.com> <560622393.3258002.1469126532769.JavaMail.yahoo@mail.yahoo.com> <579119A1.7030500@redhat.com> <112650488.3317166.1469127882492.JavaMail.yahoo@mail.yahoo.com> <885440916.3280420.1469127980535.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com> and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Exception in thread "Timer-0" java.lang.NullPointerException ??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) ??????? at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) ??????? at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) ??????? at java.util.TimerThread.mainLoop(Timer.java:555) ??????? at java.util.TimerThread.run(Timer.java:505) Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. : From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:36 PM Subject: Re: [Freeipa-users] regenerate certificate and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin logger parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instances 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instance parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in on-demand order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in startup order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! (END) From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:34 PM Subject: Re: [Freeipa-users] regenerate certificate hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD AP based, not XML {1}, use default authz mgr: {2}. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock) From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:21 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > would you please explain more > ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 11:09 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > hi >? > it is result of command, seems issue is another thing >? > >? > >? >? ipa cert-show 1 >? > ipa: ERROR: Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found) > > Which means that the CA still isn't up. You're going to need to look at > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > rob > >? > >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Rob Crittenden > >? > *To:* mohammad sereshki >; Florence >? > Blanc-Renaud >; Freeipa-users > > >? > *Sent:* Thursday, July 21, 2016 8:08 PM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > mohammad sereshki wrote: >? >? > dear >? >? > thanks, but would you please check below and let me know what is your >? >? > idea?I checked your command but it did not work. >? > >? > The Not Found suggests that the CA is not up. I'd try restarting the >? > pki-cad process to see if that helps. >? > >? > A simple test that communication is working is: ipa cert-show 1 >? > >? > The output isn't important as long as it isn't an error. >? > >? > rob >? > >? > >? >? > >? >? > >? >? > >? >? > Number of certificates and requests being tracked: 8. >? >? > Request ID '20140817123525': >? >? >? ? ? ? ? status: MONITORING >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing >? > request. >? >? >? ? ? ? ? stuck: no >? >? >? ? ? ? ? key paCOM storage: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123534': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > EXAMPLE.-COM >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123602': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > PKI-IPA >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123752': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > You have new mail in /var/spool/mail/root >? >? > >? >? > >? >? > > ------------------------------------------------------------------------ >? >? > *From:* Florence Blanc-Renaud >> >? >? > *To:* mohammad sereshki >? > >>; Freeipa-users >? >? > > >> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? > hi >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > command >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next >? > 20 days, >? >? >? > I do not know how to regenerate them >? >? >? > but command "getcert list" shows epirtion certificates are related >? > just >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has >? > enough >? >? >? > time . >? >? >? > would you please help me to know how to regenerate CA:IPA >? > certificates? >? >? >? > >? >? >? > Best Regards >? >? >? > >? >? >? > >? >? >? > >? >? > >? >? > Hi Mohammad, >? >? > >? >? > the certificates issued by IPA CA are normally tracked by > certmonger and >? >? > automatically renewed when they are near their expiration date. To > make >? >? > sure that your certificates are tracked, you can issue >? >? > >? >? > $ ipa-getcert list >? >? > >? >? > and check the "status:" field for each certificate. It should display >? >? > "MONITORING". >? >? > >? >? > If you want to manually renew them, you must note their request ID and >? >? > use the command >? >? > $ ipa-getcert resubmit -i $REQUEST_ID >? >? > >? >? > Hope this helps, >? >? > Flo. >? >? > >? >? > >? >? > >? >? > >? >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Thu Jul 21 20:03:26 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 20:03:26 +0000 (UTC) Subject: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125 In-Reply-To: References: Message-ID: <482843013.3386243.1469131406558.JavaMail.yahoo@mail.yahoo.com> hiI did some changes not I get below werror when I open HTTP service in web interface Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x276 not found) From: "freeipa-users-request at redhat.com" To: freeipa-users at redhat.com Sent: Thursday, July 21, 2016 11:38 PM Subject: Freeipa-users Digest, Vol 96, Issue 125 Send Freeipa-users mailing list submissions to ??? freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit ??? https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to ??? freeipa-users-request at redhat.com You can reach the person managing the list at ??? freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: ? 1. Re: regenerate certificate (mohammad sereshki) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC) From: mohammad sereshki To: Rob Crittenden ,??? Florence Blanc-Renaud ??? ,??? Freeipa-users Subject: Re: [Freeipa-users] regenerate certificate Message-ID: ??? <1119368990.3296955.1469128096522.JavaMail.yahoo at mail.yahoo.com> Content-Type: text/plain; charset="utf-8" and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Exception in thread "Timer-0" java.lang.NullPointerException ??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) ??????? at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) ??????? at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) ??????? at java.util.TimerThread.mainLoop(Timer.java:555) ??????? at java.util.TimerThread.run(Timer.java:505) Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. : ? ? ? From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:36 PM Subject: Re: [Freeipa-users] regenerate certificate ? and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin logger parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instances 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instance parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in on-demand order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in startup order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! (END) ? ? ? From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:34 PM Subject: Re: [Freeipa-users] regenerate certificate ? hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD AP based, not XML {1}, use default authz mgr: {2}. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock) ? ? ? From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:21 PM Subject: Re: [Freeipa-users] regenerate certificate ? mohammad sereshki wrote: > hi > would you please explain more > ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 11:09 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > hi >? > it is result of command, seems issue is another thing >? > >? > >? >? ipa cert-show 1 >? > ipa: ERROR: Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found) > > Which means that the CA still isn't up. You're going to need to look at > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > rob > >? > >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Rob Crittenden > >? > *To:* mohammad sereshki >; Florence >? > Blanc-Renaud >; Freeipa-users > > >? > *Sent:* Thursday, July 21, 2016 8:08 PM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > mohammad sereshki wrote: >? >? > dear >? >? > thanks, but would you please check below and let me know what is your >? >? > idea?I checked your command but it did not work. >? > >? > The Not Found suggests that the CA is not up. I'd try restarting the >? > pki-cad process to see if that helps. >? > >? > A simple test that communication is working is: ipa cert-show 1 >? > >? > The output isn't important as long as it isn't an error. >? > >? > rob >? > >? > >? >? > >? >? > >? >? > >? >? > Number of certificates and requests being tracked: 8. >? >? > Request ID '20140817123525': >? >? >? ? ? ? ? status: MONITORING >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing >? > request. >? >? >? ? ? ? ? stuck: no >? >? >? ? ? ? ? key paCOM storage: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123534': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > EXAMPLE.-COM >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123602': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > PKI-IPA >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123752': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > You have new mail in /var/spool/mail/root >? >? > >? >? > >? >? > > ------------------------------------------------------------------------ >? >? > *From:* Florence Blanc-Renaud >> >? >? > *To:* mohammad sereshki >? > >>; Freeipa-users >? >? > > >> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? > hi >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > command >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next >? > 20 days, >? >? >? > I do not know how to regenerate them >? >? >? > but command "getcert list" shows epirtion certificates are related >? > just >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has >? > enough >? >? >? > time . >? >? >? > would you please help me to know how to regenerate CA:IPA >? > certificates? >? >? >? > >? >? >? > Best Regards >? >? >? > >? >? >? > >? >? >? > >? >? > >? >? > Hi Mohammad, >? >? > >? >? > the certificates issued by IPA CA are normally tracked by > certmonger and >? >? > automatically renewed when they are near their expiration date. To > make >? >? > sure that your certificates are tracked, you can issue >? >? > >? >? > $ ipa-getcert list >? >? > >? >? > and check the "status:" field for each certificate. It should display >? >? > "MONITORING". >? >? > >? >? > If you want to manually renew them, you must note their request ID and >? >? > use the command >? >? > $ ipa-getcert resubmit -i $REQUEST_ID >? >? > >? >? > Hope this helps, >? >? > Flo. >? >? > >? >? > >? >? > >? >? > >? >? > >? > >? > >? > > > > ? ? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 96, Issue 125 ********************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From splash at gmail.com Thu Jul 21 20:05:52 2016 From: splash at gmail.com (Diogenes S. Jesus) Date: Thu, 21 Jul 2016 22:05:52 +0200 Subject: [Freeipa-users] FreeIPA and slave MIT slave KDCs Message-ID: Hi everyone. I'm currently planning on deploying FreeIPA as the Master KDC (among other things to leverage from the API and some other built-in features - like replicas). However I find (correct if I'm wrong) FreeIPA not very modular - therefore I would like to know what's the strategy when deploying slave KDCs. I've seen this thread but I don't really want to have a replica - the idea was to deploy a separate box only running KDC - since the authentication is delegated to RADIUS for Authentication, I don't need to expose LDAP Master to KDC slaves - If yes, I would provide a read-only LDAP replica.. For starters, where is the FreeIPA KDC stash file stored? -- -------- Diogenes S. de Jesus -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 21 20:15:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2016 16:15:27 -0400 Subject: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125 In-Reply-To: <482843013.3386243.1469131406558.JavaMail.yahoo@mail.yahoo.com> References: <482843013.3386243.1469131406558.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57912D5F.8030201@redhat.com> mohammad sereshki wrote: > hi > I did some changes not I get below werror when I open HTTP service in > web interface What changes did you do? From a previous e-mail the problem is that the CA couldn't validate its own certificates. This is sometimes an issue with certificate trust. To look at it run: # certutil -L -d /var/lib/pki-ca/alias The auditSigningCert should have a trust of u,u,Pu. If it doesn't you can fix it with: # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu > Certificate operation cannot be completed: EXCEPTION (Certificate serial > number 0x276 not found) Do you have other CA masters (if not you should, but do that once things are stable)? rob > > > ------------------------------------------------------------------------ > *From:* "freeipa-users-request at redhat.com" > > *To:* freeipa-users at redhat.com > *Sent:* Thursday, July 21, 2016 11:38 PM > *Subject:* Freeipa-users Digest, Vol 96, Issue 125 > > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: regenerate certificate (mohammad sereshki) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC) > From: mohammad sereshki > > To: Rob Crittenden >, Florence Blanc-Renaud > >, Freeipa-users > > > Subject: Re: [Freeipa-users] regenerate certificate > Message-ID: > <1119368990.3296955.1469128096522.JavaMail.yahoo at mail.yahoo.com > > > Content-Type: text/plain; charset="utf-8" > > and this is for catalina.out > > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1 at 39139da8 ]) > and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat at d1b317c9 > ]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1 at 39139da8 ]) > and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat at d1b317c9 > ]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9180 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9443 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9445 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9444 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9446 > Exception in thread "Timer-0" java.lang.NullPointerException > ??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) > ??????? at > com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) > ??????? at > com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) > ??????? at java.util.TimerThread.mainLoop(Timer.java:555) > ??????? at java.util.TimerThread.run(Timer.java:505) > Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: > /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib > Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init > INFO: Initializing Coyote HTTP/1.1 on http-9180 > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has been > installed. > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has been > installed. > : > > > > From: mohammad sereshki > > To: Rob Crittenden >; > Florence Blanc-Renaud >; > Freeipa-users > > Sent: Thursday, July 21, 2016 11:36 PM > Subject: Re: [Freeipa-users] regenerate certificate > > and below is for selftests.log > > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] > SystemCertsVerification: system certs verification failure > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin logger parameters > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin instances > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin instance parameters > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading self test plugins in on-demand order > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading self test plugins in startup order > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] > SystemCertsVerification: system certs verification failure > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > (END) > > > > From: mohammad sereshki > > To: Rob Crittenden >; > Florence Blanc-Renaud >; > Freeipa-users > > Sent: Thursday, July 21, 2016 11:34 PM > Subject: Re: [Freeipa-users] regenerate certificate > > hiI find below in debug file under /var/log/pki-cawhat is your comment? > > 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization > for servlet: caDisplayBySerial is LD > AP based, not XML {1}, use default authz mgr: {2}. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start > updateCertStatus > [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting > updateCertStatus (entered lock) > > > > From: Rob Crittenden > > To: mohammad sereshki >; Florence Blanc-Renaud > >; Freeipa-users > > > Sent: Thursday, July 21, 2016 11:21 PM > Subject: Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > hi > > would you please explain more > > ? > > Your CA (dogtag) is not running. The CA is written in java and deployed > as a WAR in tomcat. If something goes wrong during initialization the CA > will exit but tomcat will not. > > Requests to the CA are returning 404 Not Found because the application > is not running in dogtag. > > You need to look at the logs in /var/log/pki-ca to see what is going on. > > I'd start with selftests.log then move onto catalina.out and debug. > > rob > > > > > > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden > > > *To:* mohammad sereshki >; Florence > > Blanc-Renaud >; Freeipa-users > > > > *Sent:* Thursday, July 21, 2016 11:09 PM > > *Subject:* Re: [Freeipa-users] regenerate certificate > > > > mohammad sereshki wrote: > >? > hi > >? > it is result of command, seems issue is another thing > >? > > >? > > >? >? ipa cert-show 1 > >? > ipa: ERROR: Certificate operation cannot be completed: Unable to > >? > communicate with CMS (Not Found) > > > > Which means that the CA still isn't up. You're going to need to look at > > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > > > rob > > > >? > > >? > > >? > > >? > > ------------------------------------------------------------------------ > >? > *From:* Rob Crittenden >> > >? > *To:* mohammad sereshki > > >>; Florence > >? > Blanc-Renaud > >>; Freeipa-users > > > >> > >? > *Sent:* Thursday, July 21, 2016 8:08 PM > >? > *Subject:* Re: [Freeipa-users] regenerate certificate > >? > > >? > mohammad sereshki wrote: > >? >? > dear > >? >? > thanks, but would you please check below and let me know what > is your > >? >? > idea?I checked your command but it did not work. > >? > > >? > The Not Found suggests that the CA is not up. I'd try restarting the > >? > pki-cad process to see if that helps. > >? > > >? > A simple test that communication is working is: ipa cert-show 1 > >? > > >? > The output isn't important as long as it isn't an error. > >? > > >? > rob > >? > > >? > > >? >? > > >? >? > > >? >? > > >? >? > Number of certificates and requests being tracked: 8. > >? >? > Request ID '20140817123525': > >? >? >? ? ? ? ? status: MONITORING > >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing > >? > request. > >? >? >? ? ? ? ? stuck: no > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > Request ID '20140817123534': > >? >? >? ? ? ? ? status: CA_UNREACHABLE > >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed > >? >? > at server.? Certificate operation cannot be completed: Unable to > >? >? > communicate with CMS (Not Found)). > >? >? >? ? ? ? ? stuck: yes > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > >? >? > Certificate > DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: > /usr/lib64/ipa/certmonger/restart_dCOMsrv > >? >? > EXAMPLE.-COM > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > Request ID '20140817123602': > >? >? >? ? ? ? ? status: CA_UNREACHABLE > >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed > >? >? > at server.? Certificate operation cannot be completed: Unable to > >? >? > communicate with CMS (Not Found)). > >? >? >? ? ? ? ? stuck: yes > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: > /usr/lib64/ipa/certmonger/restart_dCOMsrv > >? >? > PKI-IPA > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > Request ID '20140817123752': > >? >? >? ? ? ? ? status: CA_UNREACHABLE > >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed > >? >? > at server.? Certificate operation cannot be completed: Unable to > >? >? > communicate with CMS (Not Found)). > >? >? >? ? ? ? ? stuck: yes > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > You have new mail in /var/spool/mail/root > >? >? > > >? >? > > >? >? > > > ------------------------------------------------------------------------ > >? >? > *From:* Florence Blanc-Renaud > > > > >>> > >? >? > *To:* mohammad sereshki > > > > >? > > > >>>; Freeipa-users > >? >? > > > > > > >>> > > > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM > >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate > >? >? > > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: > >? >? >? > hi > >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > > command > >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next > >? > 20 days, > >? >? >? > I do not know how to regenerate them > >? >? >? > but command "getcert list" shows epirtion certificates are > related > >? > just > >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has > >? > enough > >? >? >? > time . > >? >? >? > would you please help me to know how to regenerate CA:IPA > >? > certificates? > >? >? >? > > >? >? >? > Best Regards > >? >? >? > > >? >? >? > > >? >? >? > > >? >? > > >? >? > Hi Mohammad, > >? >? > > >? >? > the certificates issued by IPA CA are normally tracked by > > certmonger and > >? >? > automatically renewed when they are near their expiration date. To > > make > >? >? > sure that your certificates are tracked, you can issue > >? >? > > >? >? > $ ipa-getcert list > >? >? > > >? >? > and check the "status:" field for each certificate. It should > display > >? >? > "MONITORING". > >? >? > > >? >? > If you want to manually renew them, you must note their request > ID and > >? >? > use the command > >? >? > $ ipa-getcert resubmit -i $REQUEST_ID > >? >? > > >? >? > Hope this helps, > >? >? > Flo. > >? >? > > >? >? > > >? >? > > >? >? > > >? >? > > >? > > >? > > >? > > > > > > > > > > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 96, Issue 125 > ********************************************** > > > > From mohammadsereshki at yahoo.com Thu Jul 21 20:20:53 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Thu, 21 Jul 2016 20:20:53 +0000 (UTC) Subject: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125 In-Reply-To: <57912D5F.8030201@redhat.com> References: <482843013.3386243.1469131406558.JavaMail.yahoo@mail.yahoo.com> <57912D5F.8030201@redhat.com> Message-ID: <893710375.3341199.1469132453575.JavaMail.yahoo@mail.yahoo.com> hiignore my last email,I ran list of certs, you can see I have 2 of auditSigningCert, what is this , do you know it? certutil -L -d /var/lib/pki-ca/alias Certificate Nickname???????????????????????????????????????? Trust Attributes ???????????????????????????????????????????????????????????? SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca??????????????????????????????????? u,u,Pu Server-Cert cert-pki-ca????????????????????????????????????? u,u,u auditSigningCert cert-pki-ca???????????????????????????????? u,u,u caSigningCert cert-pki-ca??????????????????????????????????? CTu,Cu,Cu Server-Cert cert-pki-ca????????????????????????????????????? u,u,u auditSigningCert cert-pki-ca???????????????????????????????? u,u,Pu ocspSigningCert cert-pki-ca????????????????????????????????? u,u,Pu From: Rob Crittenden To: mohammad sereshki ; "freeipa-users at redhat.com" Sent: Friday, July 22, 2016 12:45 AM Subject: Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125 mohammad sereshki wrote: > hi > I did some changes not I get below werror when I open HTTP service in > web interface What changes did you do? From a previous e-mail the problem is that the CA couldn't validate its own certificates. This is sometimes an issue with certificate trust. To look at it run: # certutil -L -d /var/lib/pki-ca/alias The auditSigningCert should have a trust of u,u,Pu. If it doesn't you can fix it with: # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu > Certificate operation cannot be completed: EXCEPTION (Certificate serial > number 0x276 not found) Do you have other CA masters (if not you should, but do that once things are stable)? rob > > > ------------------------------------------------------------------------ > *From:* "freeipa-users-request at redhat.com" > > *To:* freeipa-users at redhat.com > *Sent:* Thursday, July 21, 2016 11:38 PM > *Subject:* Freeipa-users Digest, Vol 96, Issue 125 > > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > >? ? 1. Re: regenerate certificate (mohammad sereshki) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC) > From: mohammad sereshki > > To: Rob Crittenden >,? ? Florence Blanc-Renaud >? ? ? >,? ? Freeipa-users > > > Subject: Re: [Freeipa-users] regenerate certificate > Message-ID: >? ? ? <1119368990.3296955.1469128096522.JavaMail.yahoo at mail.yahoo.com > > > Content-Type: text/plain; charset="utf-8" > > and this is for catalina.out > > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1 at 39139da8 ]) > and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat at d1b317c9 > ]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1 at 39139da8 ]) > and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat at d1b317c9 > ]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9180 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9443 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9445 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9444 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9446 > Exception in thread "Timer-0" java.lang.NullPointerException > ??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) > ??????? at > com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) > ??????? at > com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) > ??????? at java.util.TimerThread.mainLoop(Timer.java:555) > ??????? at java.util.TimerThread.run(Timer.java:505) > Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: > /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib > Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init > INFO: Initializing Coyote HTTP/1.1 on http-9180 > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has been > installed. > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has been > installed. > : > > > >? ? ? ? From: mohammad sereshki > > To: Rob Crittenden >; > Florence Blanc-Renaud >; > Freeipa-users > > Sent: Thursday, July 21, 2016 11:36 PM > Subject: Re: [Freeipa-users] regenerate certificate > > and below is for selftests.log > > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] > SystemCertsVerification: system certs verification failure > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin logger parameters > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin instances > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin instance parameters > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading self test plugins in on-demand order > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading self test plugins in startup order > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] > SystemCertsVerification: system certs verification failure > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > (END) > > > >? ? ? ? From: mohammad sereshki > > To: Rob Crittenden >; > Florence Blanc-Renaud >; > Freeipa-users > > Sent: Thursday, July 21, 2016 11:34 PM > Subject: Re: [Freeipa-users] regenerate certificate > > hiI find below in debug file under /var/log/pki-cawhat is your comment? > > 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization > for servlet: caDisplayBySerial is LD > AP based, not XML {1}, use default authz mgr: {2}. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start > updateCertStatus > [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting > updateCertStatus (entered lock) > > > >? ? ? ? From: Rob Crittenden > > To: mohammad sereshki >; Florence Blanc-Renaud > >; Freeipa-users > > > Sent: Thursday, July 21, 2016 11:21 PM > Subject: Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > hi >? > would you please explain more >? > ? > > Your CA (dogtag) is not running. The CA is written in java and deployed > as a WAR in tomcat. If something goes wrong during initialization the CA > will exit but tomcat will not. > > Requests to the CA are returning 404 Not Found because the application > is not running in dogtag. > > You need to look at the logs in /var/log/pki-ca to see what is going on. > > I'd start with selftests.log then move onto catalina.out and debug. > > rob > >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Rob Crittenden > >? > *To:* mohammad sereshki >; Florence >? > Blanc-Renaud >; Freeipa-users > > >? > *Sent:* Thursday, July 21, 2016 11:09 PM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > mohammad sereshki wrote: >? >? > hi >? >? > it is result of command, seems issue is another thing >? >? > >? >? > >? >? >? ipa cert-show 1 >? >? > ipa: ERROR: Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found) >? > >? > Which means that the CA still isn't up. You're going to need to look at >? > the dogtag logs in /var/log/pki*. debug is probably the place to start. >? > >? > rob >? > >? >? > >? >? > >? >? > >? >? > > ------------------------------------------------------------------------ >? >? > *From:* Rob Crittenden >> >? >? > *To:* mohammad sereshki >? > >>; Florence >? >? > Blanc-Renaud > >>; Freeipa-users >? > > >> >? >? > *Sent:* Thursday, July 21, 2016 8:08 PM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > mohammad sereshki wrote: >? >? >? > dear >? >? >? > thanks, but would you please check below and let me know what > is your >? >? >? > idea?I checked your command but it did not work. >? >? > >? >? > The Not Found suggests that the CA is not up. I'd try restarting the >? >? > pki-cad process to see if that helps. >? >? > >? >? > A simple test that communication is working is: ipa cert-show 1 >? >? > >? >? > The output isn't important as long as it isn't an error. >? >? > >? >? > rob >? >? > >? >? > >? >? >? > >? >? >? > >? >? >? > >? >? >? > Number of certificates and requests being tracked: 8. >? >? >? > Request ID '20140817123525': >? >? >? >? ? ? ? ? status: MONITORING >? >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing >? >? > request. >? >? >? >? ? ? ? ? stuck: no >? >? >? >? ? ? ? ? key paCOM storage: >? >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? >? ? ? ? ? certificate: >? >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? >? > Certificate DB' >? >? >? >? ? ? ? ? CA: IPA >? >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? >? ? ? ? ? pre-save command: >? >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? >? >? ? ? ? ? track: yes >? >? >? >? ? ? ? ? auto-renew: yes >? >? >? > Request ID '20140817123534': >? >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed >? >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? >? > communicate with CMS (Not Found)). >? >? >? >? ? ? ? ? stuck: yes >? >? >? >? ? ? ? ? key paCOM storage: >? >? >? > >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? >? > Certificate > DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? >? >? ? ? ? ? certificate: >? >? >? > >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? >? > Certificate DB' >? >? >? >? ? ? ? ? CA: IPA >? >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? >? ? ? ? ? pre-save command: >? >? >? >? ? ? ? ? post-save command: > /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? >? > EXAMPLE.-COM >? >? >? >? ? ? ? ? track: yes >? >? >? >? ? ? ? ? auto-renew: yes >? >? >? > Request ID '20140817123602': >? >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed >? >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? >? > communicate with CMS (Not Found)). >? >? >? >? ? ? ? ? stuck: yes >? >? >? >? ? ? ? ? key paCOM storage: >? >? >? > >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? >? >? ? ? ? ? certificate: >? >? >? > >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? >? > Certificate DB' >? >? >? >? ? ? ? ? CA: IPA >? >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? >? ? ? ? ? pre-save command: >? >? >? >? ? ? ? ? post-save command: > /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? >? > PKI-IPA >? >? >? >? ? ? ? ? track: yes >? >? >? >? ? ? ? ? auto-renew: yes >? >? >? > Request ID '20140817123752': >? >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed >? >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? >? > communicate with CMS (Not Found)). >? >? >? >? ? ? ? ? stuck: yes >? >? >? >? ? ? ? ? key paCOM storage: >? >? >? > >? > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? >? ? ? ? ? certificate: >? >? >? > >? > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? >? > Certificate DB' >? >? >? >? ? ? ? ? CA: IPA >? >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? >? ? ? ? ? pre-save command: >? >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? >? >? ? ? ? ? track: yes >? >? >? >? ? ? ? ? auto-renew: yes >? >? >? > You have new mail in /var/spool/mail/root >? >? >? > >? >? >? > >? >? >? > >? > ------------------------------------------------------------------------ >? >? >? > *From:* Florence Blanc-Renaud >? > > > >>> >? >? >? > *To:* mohammad sereshki >? > > >? >? > >? > >>>; Freeipa-users >? >? >? > > > >? > > >>> >? > >? >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? >? > >? >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? >? > hi >? >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , >? > command >? >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next >? >? > 20 days, >? >? >? >? > I do not know how to regenerate them >? >? >? >? > but command "getcert list" shows epirtion certificates are > related >? >? > just >? >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has >? >? > enough >? >? >? >? > time . >? >? >? >? > would you please help me to know how to regenerate CA:IPA >? >? > certificates? >? >? >? >? > >? >? >? >? > Best Regards >? >? >? >? > >? >? >? >? > >? >? >? >? > >? >? >? > >? >? >? > Hi Mohammad, >? >? >? > >? >? >? > the certificates issued by IPA CA are normally tracked by >? > certmonger and >? >? >? > automatically renewed when they are near their expiration date. To >? > make >? >? >? > sure that your certificates are tracked, you can issue >? >? >? > >? >? >? > $ ipa-getcert list >? >? >? > >? >? >? > and check the "status:" field for each certificate. It should > display >? >? >? > "MONITORING". >? >? >? > >? >? >? > If you want to manually renew them, you must note their request > ID and >? >? >? > use the command >? >? >? > $ ipa-getcert resubmit -i $REQUEST_ID >? >? >? > >? >? >? > Hope this helps, >? >? >? > Flo. >? >? >? > >? >? >? > >? >? >? > >? >? >? > >? >? >? > >? >? > >? >? > >? >? > >? > >? > >? > > > > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 96, Issue 125 > ********************************************** > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Auerbach at flbog.edu Thu Jul 21 20:38:50 2016 From: Steven.Auerbach at flbog.edu (Auerbach, Steven) Date: Thu, 21 Jul 2016 20:38:50 +0000 Subject: [Freeipa-users] Odd Password Issue Across the realm Message-ID: We have our IPA set up as master-master and we have about 25 clients in realm (including the IPA servers themselves). We have a single user who changed his unexpired password using the passwd command logged on to one of the registered clients. Thereafter, when he logs on to any of the client servers in the realm with the exception of one, his new password is accepted. On only one client server his new password is not accepted. That client server will only let him in with a password that was in effect 2 password changes in the past. I believe that there is no sync problem between the IPA Masters because I changed the admin password on one of them (IPA Master) yesterday and it was available immediately after a logout to sign on as admin to the other master with the new password. Are we instructing users with the wrong command for changing an unexpired password? If not, where would we turn to rectify this issue that this one user has with the one IPA client server? Steven Auerbach Systems Administrator State University System of Florida Board of Governors 325 West Gaines Street, Suite 1625C Tallahassee, Florida 32399 (850) 245-9592 steven.auerbach at flbog.edu | www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 4102 bytes Desc: image003.jpg URL: From roberto.cornacchia at gmail.com Thu Jul 21 21:11:35 2016 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Thu, 21 Jul 2016 23:11:35 +0200 Subject: [Freeipa-users] named-pkcs11 doesn't start after bind update Message-ID: - FC23 - IPA 4.2.4 After a dnf update, bind was updated (no ipa updates), and named-pkcs11 doesn't start anymore. $ /usr/sbin/named-pkcs11 -d 9 -g 21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 -d 9 -g 21-Jul-2016 23:08:50.332 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 21-Jul-2016 23:08:50.332 ---------------------------------------------------- 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems Consortium, 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) public-benefit 21-Jul-2016 23:08:50.332 corporation. Support and training for BIND 9 are 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support 21-Jul-2016 23:08:50.332 ---------------------------------------------------- 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to 1048576 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface 21-Jul-2016 23:08:50.332 using up to 21000 sockets 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization failed 21-Jul-2016 23:08:50.335 exiting (due to fatal error) journalctl shows: named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store $ ll -Z /var/lib/ipa/dnssec/ total 12 -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 22:50 softhsm_pin* drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 22:50 tokens/ - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it doesn't help. - With setenforce 0, same error. - I have run ipa-dns-install, it recreates named.conf, tokens etc. named-pkcs11 still doesn't start. Please, any idea? Roberto -------------- next part -------------- An HTML attachment was scrubbed... URL: From roberto.cornacchia at gmail.com Thu Jul 21 21:51:04 2016 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Thu, 21 Jul 2016 23:51:04 +0200 Subject: [Freeipa-users] named-pkcs11 doesn't start after bind update In-Reply-To: References: Message-ID: UPDATE: Tried again the whole procedure with ipa-dns-install, and it DOES work with SElinux disable, and still fails with SElinux enabled. So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/" makes sense. Can someone help me fix it? $ ll -Z /var/lib/ipa/dnssec/ total 12 -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 22:50 softhsm_pin* drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 22:50 tokens/ On 21 July 2016 at 23:11, Roberto Cornacchia wrote: > - FC23 > - IPA 4.2.4 > > After a dnf update, bind was updated (no ipa updates), and named-pkcs11 > doesn't start anymore. > > > $ /usr/sbin/named-pkcs11 -d 9 -g > 21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 > -d 9 -g > 21-Jul-2016 23:08:50.332 built with '--build=x86_64-redhat-linux-gnu' > '--host=x86_64-redhat-linux-gnu' '--program-prefix=' > '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' > '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' > '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' > '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' > '--disable-static' '--disable-openssl-version-check' > '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' > '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' > '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' > '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' > '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' > 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' > 'CPPFLAGS= -DDIG_SIGCHASE' > 21-Jul-2016 23:08:50.332 > ---------------------------------------------------- > 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems > Consortium, > 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) public-benefit > 21-Jul-2016 23:08:50.332 corporation. Support and training for BIND 9 are > 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support > 21-Jul-2016 23:08:50.332 > ---------------------------------------------------- > 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to 1048576 > 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads > 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface > 21-Jul-2016 23:08:50.332 using up to 21000 sockets > 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver > 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' > 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' > 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization failed > 21-Jul-2016 23:08:50.335 exiting (due to fatal error) > > journalctl shows: > > named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate object store > in /var/lib/softhsm/tokens/ > named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store > > > > $ ll -Z /var/lib/ipa/dnssec/ > total 12 > -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 > 22:50 softhsm_pin* > drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 > 22:50 tokens/ > > > - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it doesn't > help. > - With setenforce 0, same error. > - I have run ipa-dns-install, it recreates named.conf, tokens > etc. named-pkcs11 still doesn't start. > > > Please, any idea? > > Roberto > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 21 22:24:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 Jul 2016 18:24:07 -0400 Subject: [Freeipa-users] Odd Password Issue Across the realm In-Reply-To: References: Message-ID: <57914B87.8000502@redhat.com> Auerbach, Steven wrote: > We have our IPA set up as master-master and we have about 25 clients in > realm (including the IPA servers themselves). > > We have a single user who changed his unexpired password using the > passwd command logged on to one of the registered clients. > > Thereafter, when he logs on to any of the client servers in the realm > with the exception of one, his new password is accepted. On only one > client server his new password is not accepted. That client server will > only let him in with a password that was in effect 2 password changes in > the past. > > I believe that there is no sync problem between the IPA Masters because > I changed the admin password on one of them (IPA Master) yesterday and > it was available immediately after a logout to sign on as admin to the > other master with the new password. > > Are we instructing users with the wrong command for changing an > unexpired password? If not, where would we turn to rectify this issue > that this one user has with the one IPA client server? I wonder if sssd on that client is in offline mode. rob From blipton at redhat.com Fri Jul 22 02:43:19 2016 From: blipton at redhat.com (Ben Lipton) Date: Thu, 21 Jul 2016 22:43:19 -0400 Subject: [Freeipa-users] named-pkcs11 doesn't start after bind update In-Reply-To: References: Message-ID: I'm not familiar enough with Fedora release engineering to know how this gets fixed permanently, but I'll share some investigation I've done. This appears to be due to a change in the selinux-policy-targeted package that happened recently. As of the latest version, named-pkcs11 tries to run as type named_t instead of unconfined_service_t, but it isn't allowed to read the files from IPA [1]. When I downgraded to the selinux-policy and selinux-policy-targeted packages from [2] I was able to start named-pkcs11, so that might be a workaround you can use for now. Ultimately, the patch that fixes [3] might need to be backported to F23. Ben [1] ---- time->Fri Jul 22 04:17:44 2016 type=AVC msg=audit(1469153864.756:705): avc: denied { read } for pid=11616 comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 ---- time->Fri Jul 22 04:17:44 2016 type=AVC msg=audit(1469153864.756:706): avc: denied { getattr } for pid=11616 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object" dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 ---- time->Fri Jul 22 04:17:44 2016 type=AVC msg=audit(1469153864.756:707): avc: denied { read write } for pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 ---- time->Fri Jul 22 04:17:44 2016 type=AVC msg=audit(1469153864.757:708): avc: denied { open } for pid=11616 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 ---- time->Fri Jul 22 04:17:44 2016 type=AVC msg=audit(1469153864.757:709): avc: denied { lock } for pid=11616 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106 On 07/21/2016 05:51 PM, Roberto Cornacchia wrote: > UPDATE: > > Tried again the whole procedure with ipa-dns-install, and it DOES work > with SElinux disable, and still fails with SElinux enabled. > > So the error "Failed to enumerate object store in > /var/lib/softhsm/tokens/" makes sense. > > Can someone help me fix it? > > $ ll -Z /var/lib/ipa/dnssec/ > total 12 > -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 > Jul 21 22:50 softhsm_pin* > drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 > Jul 21 22:50 tokens/ > > > > On 21 July 2016 at 23:11, Roberto Cornacchia > > > wrote: > > - FC23 > - IPA 4.2.4 > > After a dnf update, bind was updated (no ipa updates), > and named-pkcs11 doesn't start anymore. > > > $ /usr/sbin/named-pkcs11 -d 9 -g > 21-Jul-2016 23:08:50.332 starting BIND > 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 -d 9 -g > 21-Jul-2016 23:08:50.332 built with > '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' > '--program-prefix=' '--disable-dependency-tracking' > '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' > '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' > '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--with-python=/usr/bin/python3' '--with-libtool' > '--localstatedir=/var' '--enable-threads' '--enable-ipv6' > '--enable-filter-aaaa' '--with-pic' '--disable-static' > '--disable-openssl-version-check' > '--includedir=/usr/include/bind9' '--with-tuning=large' > '--with-geoip' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' > '--with-dlopen=yes' '--with-dlz-ldap=yes' > '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' > '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector-strong --param=ssp-buffer-size=4 > -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 > -mtune=generic' 'LDFLAGS=-Wl,-z,relro > -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= > -DDIG_SIGCHASE' > 21-Jul-2016 23:08:50.332 > ---------------------------------------------------- > 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems > Consortium, > 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) > public-benefit > 21-Jul-2016 23:08:50.332 corporation. Support and training for > BIND 9 are > 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support > 21-Jul-2016 23:08:50.332 > ---------------------------------------------------- > 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to > 1048576 > 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads > 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface > 21-Jul-2016 23:08:50.332 using up to 21000 sockets > 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver > 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' > 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' > 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization > failed > 21-Jul-2016 23:08:50.335 exiting (due to fatal error) > > journalctl shows: > > named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate > object store in /var/lib/softhsm/tokens/ > named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store > > > > $ ll -Z /var/lib/ipa/dnssec/ > total 12 > -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 > 30 Jul 21 22:50 softhsm_pin* > drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 > 4096 Jul 21 22:50 tokens/ > > > - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it > doesn't help. > - With setenforce 0, same error. > - I have run ipa-dns-install, it recreates named.conf, tokens > etc. named-pkcs11 still doesn't start. > > > Please, any idea? > > Roberto > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linuxguru.co at gmail.com Fri Jul 22 03:08:40 2016 From: linuxguru.co at gmail.com (Devin Acosta) Date: Thu, 21 Jul 2016 20:08:40 -0700 Subject: [Freeipa-users] FreeIPA / Change SSL Certificate for Web Server Message-ID: I have just installed a newly created FreeIPA server running CentOS 7.2. I have a (wildcard) SSL Certificate that I want to use for the FreeIPA Web Management GUI. I tried to follow the directions listed here at the URL of https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP however when I run those steps I get the error message: ipa-server-certinstall -w -d star.linuxstack.cloud.key star.linuxstack.cloud.crt Directory Manager password: Enter private key unlock password: org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20160722021526". Any ideas? It seems like I need to somehow just get the one installed by default replaced. I don't see any information on how to just replace it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Fri Jul 22 07:06:18 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Fri, 22 Jul 2016 09:06:18 +0200 Subject: [Freeipa-users] FreeIPA / Change SSL Certificate for Web Server In-Reply-To: References: Message-ID: <9460f8f4-6319-0651-2191-91f3accc3fee@redhat.com> On 07/22/2016 05:08 AM, Devin Acosta wrote: > > I have just installed a newly created FreeIPA server running CentOS 7.2. > I have a (wildcard) SSL Certificate that I want to use for the FreeIPA > Web Management GUI. I tried to follow the directions listed here at the > URL > of https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > however when I run those steps I get the error message: > > ipa-server-certinstall -w -d star.linuxstack.cloud.key > star.linuxstack.cloud.crt > Directory Manager password: > > Enter private key unlock password: > > org.fedorahosted.certmonger.duplicate: Certificate at same location is > already used by request with nickname "20160722021526". > > Any ideas? It seems like I need to somehow just get the one installed by > default replaced. I don't see any information on how to just replace it? > > > > Hi Devin, you may be hitting issue 4785 [1]. When ipa-server-certinstall is run, it does not stop tracking the previous server certificate and fails to start tracking the new cert. As a side note, with -w -d you are replacing both the directory server certificate and the Web Management GUI certificate. If you only want to replace the web cert, you can drop the -d option. Flo. [1] https://fedorahosted.org/freeipa/ticket/4785 From pspacek at redhat.com Fri Jul 22 07:51:41 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 22 Jul 2016 09:51:41 +0200 Subject: [Freeipa-users] named-pkcs11 doesn't start after bind update In-Reply-To: References: Message-ID: On 22.7.2016 04:43, Ben Lipton wrote: > I'm not familiar enough with Fedora release engineering to know how this gets > fixed permanently, but I'll share some investigation I've done. > > This appears to be due to a change in the selinux-policy-targeted package that > happened recently. As of the latest version, named-pkcs11 tries to run as type > named_t instead of unconfined_service_t, but it isn't allowed to read the > files from IPA [1]. When I downgraded to the selinux-policy and > selinux-policy-targeted packages from [2] I was able to start named-pkcs11, so > that might be a workaround you can use for now. Ultimately, the patch that > fixes [3] might need to be backported to F23. This is being tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1357665 Stay tuned. Petr^2 Spacek > > Ben > > [1] > ---- > time->Fri Jul 22 04:17:44 2016 > type=AVC msg=audit(1469153864.756:705): avc: denied { read } for pid=11616 > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195 > scontext=system_u:system_r:named_t:s0 > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 > ---- > time->Fri Jul 22 04:17:44 2016 > type=AVC msg=audit(1469153864.756:706): avc: denied { getattr } for > pid=11616 comm="named-pkcs11" > path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object" > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0 > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > ---- > time->Fri Jul 22 04:17:44 2016 > type=AVC msg=audit(1469153864.756:707): avc: denied { read write } for > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" ino=731584 > scontext=system_u:system_r:named_t:s0 > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > ---- > time->Fri Jul 22 04:17:44 2016 > type=AVC msg=audit(1469153864.757:708): avc: denied { open } for pid=11616 > comm="named-pkcs11" > path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > ---- > time->Fri Jul 22 04:17:44 2016 > type=AVC msg=audit(1469153864.757:709): avc: denied { lock } for pid=11616 > comm="named-pkcs11" > path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088 > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106 > > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote: >> UPDATE: >> >> Tried again the whole procedure with ipa-dns-install, and it DOES work with >> SElinux disable, and still fails with SElinux enabled. >> >> So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/" >> makes sense. >> >> Can someone help me fix it? >> >> $ ll -Z /var/lib/ipa/dnssec/ >> total 12 >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 >> 22:50 softhsm_pin* >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 >> 22:50 tokens/ >> >> >> >> On 21 July 2016 at 23:11, Roberto Cornacchia > > wrote: >> >> - FC23 >> - IPA 4.2.4 >> >> After a dnf update, bind was updated (no ipa updates), >> and named-pkcs11 doesn't start anymore. >> >> >> $ /usr/sbin/named-pkcs11 -d 9 -g >> 21-Jul-2016 23:08:50.332 starting BIND >> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 -d 9 -g >> 21-Jul-2016 23:08:50.332 built with >> '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' >> '--program-prefix=' '--disable-dependency-tracking' >> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' >> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' >> '--includedir=/usr/include' '--libdir=/usr/lib64' >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' >> '--with-python=/usr/bin/python3' '--with-libtool' >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' >> '--enable-filter-aaaa' '--with-pic' '--disable-static' >> '--disable-openssl-version-check' >> '--includedir=/usr/include/bind9' '--with-tuning=large' >> '--with-geoip' '--enable-native-pkcs11' >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' >> '--with-dlopen=yes' '--with-dlz-ldap=yes' >> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' >> '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' >> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >> -fstack-protector-strong --param=ssp-buffer-size=4 >> -grecord-gcc-switches >> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 >> -mtune=generic' 'LDFLAGS=-Wl,-z,relro >> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= >> -DDIG_SIGCHASE' >> 21-Jul-2016 23:08:50.332 >> ---------------------------------------------------- >> 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems >> Consortium, >> 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> 21-Jul-2016 23:08:50.332 corporation. Support and training for >> BIND 9 are >> 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support >> 21-Jul-2016 23:08:50.332 >> ---------------------------------------------------- >> 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to >> 1048576 >> 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads >> 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface >> 21-Jul-2016 23:08:50.332 using up to 21000 sockets >> 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver >> 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' >> 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' >> 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization >> failed >> 21-Jul-2016 23:08:50.335 exiting (due to fatal error) >> >> journalctl shows: >> >> named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate >> object store in /var/lib/softhsm/tokens/ >> named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store >> >> >> >> $ ll -Z /var/lib/ipa/dnssec/ >> total 12 >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 >> Jul 21 22:50 softhsm_pin* >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 >> 4096 Jul 21 22:50 tokens/ >> >> >> - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it >> doesn't help. >> - With setenforce 0, same error. >> - I have run ipa-dns-install, it recreates named.conf, tokens >> etc. named-pkcs11 still doesn't start. >> >> >> Please, any idea? From rakesh.rajasekharan at gmail.com Fri Jul 22 07:55:27 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Fri, 22 Jul 2016 13:25:27 +0530 Subject: [Freeipa-users] sssd shows deleted users as well Message-ID: Hi, I am running freeipa version 4.2.0 and sssd version 1.13.0 I have set "enumerate=True" to show IPA users as well in getent passwd. However, the getent passwd continues to show users that have got deleted as well. Heres my sssd config file [domain/xyz.com] enumerate = TRUE krb5_auth_timeout = 30 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xyz.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = 10.16.11.134 chpass_provider = ipa ipa_server = _srv_, ipa-master-int.xyz.com dns_discovery_domain = xyz.com [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xyz.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Is this an expected behaviour or am i missing something in my config Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From roberto.cornacchia at gmail.com Fri Jul 22 08:04:52 2016 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Fri, 22 Jul 2016 10:04:52 +0200 Subject: [Freeipa-users] named-pkcs11 doesn't start after bind update In-Reply-To: References: Message-ID: Ben and Petr, Thanks for your inputs, I'll keep an eye on those bug reports. Roberto On 22 July 2016 at 09:51, Petr Spacek wrote: > On 22.7.2016 04:43, Ben Lipton wrote: > > I'm not familiar enough with Fedora release engineering to know how this > gets > > fixed permanently, but I'll share some investigation I've done. > > > > This appears to be due to a change in the selinux-policy-targeted > package that > > happened recently. As of the latest version, named-pkcs11 tries to run > as type > > named_t instead of unconfined_service_t, but it isn't allowed to read the > > files from IPA [1]. When I downgraded to the selinux-policy and > > selinux-policy-targeted packages from [2] I was able to start > named-pkcs11, so > > that might be a workaround you can use for now. Ultimately, the patch > that > > fixes [3] might need to be backported to F23. > > This is being tracked as > https://bugzilla.redhat.com/show_bug.cgi?id=1357665 > > Stay tuned. > > Petr^2 Spacek > > > > > Ben > > > > [1] > > ---- > > time->Fri Jul 22 04:17:44 2016 > > type=AVC msg=audit(1469153864.756:705): avc: denied { read } for > pid=11616 > > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195 > > scontext=system_u:system_r:named_t:s0 > > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 > > ---- > > time->Fri Jul 22 04:17:44 2016 > > type=AVC msg=audit(1469153864.756:706): avc: denied { getattr } for > > pid=11616 comm="named-pkcs11" > > > path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object" > > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0 > > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > > ---- > > time->Fri Jul 22 04:17:44 2016 > > type=AVC msg=audit(1469153864.756:707): avc: denied { read write } for > > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" ino=731584 > > scontext=system_u:system_r:named_t:s0 > > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > > ---- > > time->Fri Jul 22 04:17:44 2016 > > type=AVC msg=audit(1469153864.757:708): avc: denied { open } for > pid=11616 > > comm="named-pkcs11" > > > path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" > > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 > > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > > ---- > > time->Fri Jul 22 04:17:44 2016 > > type=AVC msg=audit(1469153864.757:709): avc: denied { lock } for > pid=11616 > > comm="named-pkcs11" > > > path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" > > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 > > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 > > > > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088 > > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106 > > > > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote: > >> UPDATE: > >> > >> Tried again the whole procedure with ipa-dns-install, and it DOES work > with > >> SElinux disable, and still fails with SElinux enabled. > >> > >> So the error "Failed to enumerate object store in > /var/lib/softhsm/tokens/" > >> makes sense. > >> > >> Can someone help me fix it? > >> > >> $ ll -Z /var/lib/ipa/dnssec/ > >> total 12 > >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul > 21 > >> 22:50 softhsm_pin* > >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul > 21 > >> 22:50 tokens/ > >> > >> > >> > >> On 21 July 2016 at 23:11, Roberto Cornacchia < > roberto.cornacchia at gmail.com > >> > wrote: > >> > >> - FC23 > >> - IPA 4.2.4 > >> > >> After a dnf update, bind was updated (no ipa updates), > >> and named-pkcs11 doesn't start anymore. > >> > >> > >> $ /usr/sbin/named-pkcs11 -d 9 -g > >> 21-Jul-2016 23:08:50.332 starting BIND > >> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 -d 9 -g > >> 21-Jul-2016 23:08:50.332 built with > >> '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' > >> '--program-prefix=' '--disable-dependency-tracking' > >> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' > >> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' > >> '--includedir=/usr/include' '--libdir=/usr/lib64' > >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' > >> '--with-python=/usr/bin/python3' '--with-libtool' > >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' > >> '--enable-filter-aaaa' '--with-pic' '--disable-static' > >> '--disable-openssl-version-check' > >> '--includedir=/usr/include/bind9' '--with-tuning=large' > >> '--with-geoip' '--enable-native-pkcs11' > >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' > >> '--with-dlopen=yes' '--with-dlz-ldap=yes' > >> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' > >> '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' > >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > >> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' > >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > >> -fstack-protector-strong --param=ssp-buffer-size=4 > >> -grecord-gcc-switches > >> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 > >> -mtune=generic' 'LDFLAGS=-Wl,-z,relro > >> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= > >> -DDIG_SIGCHASE' > >> 21-Jul-2016 23:08:50.332 > >> ---------------------------------------------------- > >> 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems > >> Consortium, > >> 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) > >> public-benefit > >> 21-Jul-2016 23:08:50.332 corporation. Support and training for > >> BIND 9 are > >> 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support > >> 21-Jul-2016 23:08:50.332 > >> ---------------------------------------------------- > >> 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to > >> 1048576 > >> 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads > >> 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface > >> 21-Jul-2016 23:08:50.332 using up to 21000 sockets > >> 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver > >> 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' > >> 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' > >> 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization > >> failed > >> 21-Jul-2016 23:08:50.335 exiting (due to fatal error) > >> > >> journalctl shows: > >> > >> named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate > >> object store in /var/lib/softhsm/tokens/ > >> named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object > store > >> > >> > >> > >> $ ll -Z /var/lib/ipa/dnssec/ > >> total 12 > >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 > 30 > >> Jul 21 22:50 softhsm_pin* > >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 > >> 4096 Jul 21 22:50 tokens/ > >> > >> > >> - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it > >> doesn't help. > >> - With setenforce 0, same error. > >> - I have run ipa-dns-install, it recreates named.conf, tokens > >> etc. named-pkcs11 still doesn't start. > >> > >> > >> Please, any idea? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jul 22 08:14:10 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 22 Jul 2016 10:14:10 +0200 Subject: [Freeipa-users] FreeIPA and slave MIT slave KDCs In-Reply-To: References: Message-ID: <726f2245-c88e-4840-0754-38dcffc2f674@redhat.com> On 21.7.2016 22:05, Diogenes S. Jesus wrote: > Hi everyone. > > I'm currently planning on deploying FreeIPA as the Master KDC (among other > things to leverage from the API and some other built-in features - like > replicas). > However I find (correct if I'm wrong) FreeIPA not very modular - therefore > I would like to know what's the strategy when deploying slave KDCs. > > I've seen this thread > > but I > don't really want to have a replica - the idea was to deploy a separate box > only running KDC - since the authentication is delegated to RADIUS for > Authentication, I don't need to expose LDAP Master to KDC slaves - If yes, > I would provide a read-only LDAP replica.. > > > For starters, where is the FreeIPA KDC stash file stored? AFAIK there is no prior art in setting up MIT KDC slaves. First of all, FreeIPA does not use stash file and stores master key in LDAP instead. You can retrieve equivalent of stash file using following command: $ ipa-getkeytab --retrieve --principal K/M@ -k /tmp/stash.keytab --binddn='cn=Directory manager' --bindpw='' *Make sure* that --retrieve option is present otherwise it will destroy your Kerberos database. The rest is up to your experimentation. I wish you good luck and please report your findings back to the mailing list! -- Petr^2 Spacek From lslebodn at redhat.com Fri Jul 22 08:28:30 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 22 Jul 2016 10:28:30 +0200 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: References: Message-ID: <20160722082829.GC22052@10.4.128.1> On (22/07/16 13:25), Rakesh Rajasekharan wrote: >Hi, > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > >I have set "enumerate=True" to show IPA users as well in getent passwd. > >However, the getent passwd continues to show users that have got deleted as >well. > >Heres my sssd config file >[domain/xyz.com] >enumerate = TRUE >krb5_auth_timeout = 30 > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = xyz.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ldap_tls_cacert = /etc/ipa/ca.crt >ipa_hostname = 10.16.11.134 >chpass_provider = ipa >ipa_server = _srv_, ipa-master-int.xyz.com >dns_discovery_domain = xyz.com >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 > >domains = xyz.com >[nss] >homedir_substring = /home > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] > >Is this an expected behaviour or am i missing something in my config > When user is removed from IPA then it is not automatically removed from sssd. SSSD has few levels of caches which are indirectly used by "getent passwd". The user or group will be removed after next look-up in IPA which is usually after extpiration of entry in sssd cache. Another way how to force removing entries from sssd cache is to authenticate with user. SSSD fetch latest data from LDAP/IPA with each authentication for security reasons. You can also invalidate user in sssd cache "sss_cache -u someuser" and SSSD will detect removed user in IPA after attempt to refresh data in sssd cache. LS From jhrozek at redhat.com Fri Jul 22 08:41:48 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 22 Jul 2016 10:41:48 +0200 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: <20160722082829.GC22052@10.4.128.1> References: <20160722082829.GC22052@10.4.128.1> Message-ID: <20160722084148.GV20343@hendrix> On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote: > On (22/07/16 13:25), Rakesh Rajasekharan wrote: > >Hi, > > > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > > > >I have set "enumerate=True" to show IPA users as well in getent passwd. > > > >However, the getent passwd continues to show users that have got deleted as > >well. > > > >Heres my sssd config file > >[domain/xyz.com] > >enumerate = TRUE > >krb5_auth_timeout = 30 > > > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = xyz.com > >id_provider = ipa > >auth_provider = ipa > >access_provider = ipa > >ldap_tls_cacert = /etc/ipa/ca.crt > >ipa_hostname = 10.16.11.134 > >chpass_provider = ipa > >ipa_server = _srv_, ipa-master-int.xyz.com > >dns_discovery_domain = xyz.com > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > > > >domains = xyz.com > >[nss] > >homedir_substring = /home > > > >[pam] > > > >[sudo] > > > >[autofs] > > > >[ssh] > > > >[pac] > > > >[ifp] > > > >Is this an expected behaviour or am i missing something in my config > > > When user is removed from IPA then it is not automatically removed from sssd. > SSSD has few levels of caches which are indirectly used by "getent passwd". > The user or group will be removed after next look-up in IPA which > is usually after extpiration of entry in sssd cache. Deleted users are only detected when they are looked up directly or when a cleanup task is ran, because in order to avoid fetching the whole directory all the time, enumeration tries to only download entries with higher lastUSN than seen last time. So as Lukas said, it can be expected that entries show up. I think the most important lesson here should be don't use enumerate=true" :-) > > Another way how to force removing entries from sssd cache is > to authenticate with user. SSSD fetch latest data from LDAP/IPA > with each authentication for security reasons. > > You can also invalidate user in sssd cache "sss_cache -u someuser" > and SSSD will detect removed user in IPA after attempt to refresh data > in sssd cache. > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From julliot at ljll.math.upmc.fr Fri Jul 22 09:42:47 2016 From: julliot at ljll.math.upmc.fr (=?UTF-8?Q?S=c3=a9bastien_Julliot?=) Date: Fri, 22 Jul 2016 11:42:47 +0200 Subject: [Freeipa-users] Bypass pre-hashed passwords verification Message-ID: Hello everyone, I am currently trying to deploy FreeIPA as the new idm system in my university but came across a problem I could not solve yet. I need to bypass the pre-hashed passwords verification, not only on the user creation. Due to several constraints, our workflow involves periodically (once a day, currently) receiving an ldif file containing the users up-to-date informations, (including hashed passwords) and inserting this informations into the idm. As our goal is to unify users passwords in the university but do not have access to the higher-level LDAP directly, we injected this pre-hashed passwords directly into the LDAP until today. Yet, every attempt I made to update users passwords with pre-hashed passwords failed for now. First I tried this (migration mode enabled): ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*********************' /*OK*/ ? ~ kinit testuser kinit: Generic preauthentication failure while getting initial credentials As expected from the documentation, it does not work :p I then thought about trying to copy the migration plug-in, and change the way it retrieves users (from LDIF rather than from an online LDAP server). Since this plugin is able to But again, event binding as Directory Manager, the ipa ldap2 backend method add_entry refuses me (I tested my code without the userPassword field and the users are correctly inserted). Here is my code : class ldif_importer(ldif.LDIFParser): def __init__(self, ldap_backend): ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) self.ldap = ldap_backend def handle(self, dn, entry): self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) class my_backend(ipalib.Backend): '''Backend to import ldap passwords from ldif''' def __init__(self, api): ipalib.Backend.__init__(self, api) self.ldap = ldap2(self.api) self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***********') def parse(self): importer = ldif_importer(self.ldap) importer.parse() class my_command(ipalib.Command): '''Command calling my_backend to import passwords from ldif''' def execute(self, **options): '''Implemented against my_backend''' self.Backend.my_backend.parse() return {'result': 'everything OK'} Should one of these methods have worked, and I did it incorrectly ? Otherwise, what would be the lower-impact solution to achieve this ? (Yes, I understand the security concerns about sending passwords hashes on the network but this choice does not depend on me) Many thanks in advance, Sebastien. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From peter at pakos.uk Fri Jul 22 12:22:50 2016 From: peter at pakos.uk (Peter Pakos) Date: Fri, 22 Jul 2016 13:22:50 +0100 Subject: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP! In-Reply-To: References: Message-ID: A massive thank you to Jan Cholasta for handholding me while I was getting this problem fixed. This is how we did it... 1. List all CA certificates in LDAP directory: ldapsearch -b cn=certificates,cn=ipa,$basedn 2. Using ldapdelete, get rid of all certificates that shouldn't be there, in my case there were 2 called "CA 1" and "CA 2" 3. List all certificates in the following databases ($db): - /etc/httpd/alias/ - /etc/dirsrv/slapd-IPA-YOUR-REALM/ - /etc/pki/nssdb/ - /etc/ipa/nssdb/ certutil -L -d $db 4. Delete incorrect certificates from the above databases: -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pakos.uk Fri Jul 22 12:45:51 2016 From: peter at pakos.uk (Peter Pakos) Date: Fri, 22 Jul 2016 13:45:51 +0100 Subject: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP! Message-ID: A massive thank you to Jan Cholasta for handholding me while I was getting this problem fixed. This is how we did it... 1. List all CA certificates in LDAP directory: ldapsearch -b cn=certificates,cn=ipa,$basedn 2. Using ldapdelete (or LDAP browser), get rid of all certificates that shouldn't be there, in my case there were 2 called "CA 1" and "CA 2" 3. On each server, list all certificates in the following databases ($db): - /etc/httpd/alias/ - /etc/dirsrv/slapd-IPA-YOUR-REALM/ - /etc/pki/nssdb/ - /etc/ipa/nssdb/ certutil -L -d $db 4. On each server, delete duplicated certificates ($nick = Certificate Nickname) from the above databases. Please note, this step removed both correct and incorrect certificates: certutil -D -d $db -n "$nick" 5. We had a conflict between one of our intermediate CA certificates supplied by Gandi and a system certificate (potentially installed by ca-certificates package) therefore we had to run the following command on every server to stop the system cert being loaded into httpd database: modutil -dbdir /etc/httpd/alias -disable 'Root Certs' -force 6. Lastly, we ran the following command on every server to load correct certificates into all databases: ipa-certupdate At this point we had a fully functioning system again with the correct SSL certificate chain being served by both httpd and dirsrv services. Please note, an incorrect CA certificate was re-added to the LDAP directory later on when I deployed a new node and I had to repeat step 2 before running ipa-certupdate on the new replica. Once again, I would like to thank Jan for his input - keep up the good work! -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Fri Jul 22 12:47:32 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Fri, 22 Jul 2016 18:17:32 +0530 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: <20160722084148.GV20343@hendrix> References: <20160722082829.GC22052@10.4.128.1> <20160722084148.GV20343@hendrix> Message-ID: My specific requirement for having "enumerate=TRUE" was , we have a build server with the jenkins set up. And for authentication jenkins tries to get the localusers on the system. I should be able to get through that by configuring Jenkins to use LDAP instead of the local users. But are there any other reasons for recommending against "enumerate=TRUE", i recall reading somewhere as well not to use this specific setting. Thanks, Rakesh On Fri, Jul 22, 2016 at 2:11 PM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote: > > On (22/07/16 13:25), Rakesh Rajasekharan wrote: > > >Hi, > > > > > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > > > > > >I have set "enumerate=True" to show IPA users as well in getent passwd. > > > > > >However, the getent passwd continues to show users that have got > deleted as > > >well. > > > > > >Heres my sssd config file > > >[domain/xyz.com] > > >enumerate = TRUE > > >krb5_auth_timeout = 30 > > > > > >cache_credentials = True > > >krb5_store_password_if_offline = True > > >ipa_domain = xyz.com > > >id_provider = ipa > > >auth_provider = ipa > > >access_provider = ipa > > >ldap_tls_cacert = /etc/ipa/ca.crt > > >ipa_hostname = 10.16.11.134 > > >chpass_provider = ipa > > >ipa_server = _srv_, ipa-master-int.xyz.com > > >dns_discovery_domain = xyz.com > > >[sssd] > > >services = nss, sudo, pam, ssh > > >config_file_version = 2 > > > > > >domains = xyz.com > > >[nss] > > >homedir_substring = /home > > > > > >[pam] > > > > > >[sudo] > > > > > >[autofs] > > > > > >[ssh] > > > > > >[pac] > > > > > >[ifp] > > > > > >Is this an expected behaviour or am i missing something in my config > > > > > When user is removed from IPA then it is not automatically removed from > sssd. > > SSSD has few levels of caches which are indirectly used by "getent > passwd". > > The user or group will be removed after next look-up in IPA which > > is usually after extpiration of entry in sssd cache. > > Deleted users are only detected when they are looked up directly or when > a cleanup task is ran, because in order to avoid fetching the whole > directory all the time, enumeration tries to only download entries with > higher lastUSN than seen last time. So as Lukas said, it can be expected > that entries show up. > > I think the most important lesson here should be don't use > enumerate=true" :-) > > > > > Another way how to force removing entries from sssd cache is > > to authenticate with user. SSSD fetch latest data from LDAP/IPA > > with each authentication for security reasons. > > > > You can also invalidate user in sssd cache "sss_cache -u someuser" > > and SSSD will detect removed user in IPA after attempt to refresh data > > in sssd cache. > > > > LS > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Jul 22 13:08:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 22 Jul 2016 15:08:20 +0200 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: References: Message-ID: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> On 07/22/2016 11:42 AM, S?bastien Julliot wrote: > Hello everyone, > > I am currently trying to deploy FreeIPA as the new idm system in my > university but came across a problem I could not solve yet. I need to > bypass the pre-hashed passwords verification, not only on the user creation. > > Due to several constraints, our workflow involves periodically (once a > day, currently) receiving an ldif file containing the users up-to-date > informations, (including hashed passwords) and inserting this > informations into the idm. As our goal is to unify users passwords in > the university but do not have access to the higher-level LDAP directly, > we injected this pre-hashed passwords directly into the LDAP until today. > > Yet, every attempt I made to update users passwords with pre-hashed > passwords failed for now. > > First I tried this (migration mode enabled): > > ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*********************' > > /*OK*/ > > ? ~ kinit testuser > > kinit: Generic preauthentication failure while getting initial credentials > > As expected from the documentation, it does not work :p > > I then thought about trying to copy the migration plug-in, and change > the way it retrieves users (from LDIF rather than from an online LDAP > server). Since this plugin is able to But again, event binding as > Directory Manager, the ipa ldap2 backend method add_entry refuses me (I > tested my code without the userPassword field and the users are > correctly inserted). > > Here is my code : > > class ldif_importer(ldif.LDIFParser): > def __init__(self, ldap_backend): > ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) > self.ldap = ldap_backend > > def handle(self, dn, entry): > self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) > > class my_backend(ipalib.Backend): > '''Backend to import ldap passwords from ldif''' > > def __init__(self, api): > ipalib.Backend.__init__(self, api) > self.ldap = ldap2(self.api) > self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***********') > > def parse(self): > importer = ldif_importer(self.ldap) > importer.parse() > > class my_command(ipalib.Command): > '''Command calling my_backend to import passwords from ldif''' > > def execute(self, **options): > '''Implemented against my_backend''' > self.Backend.my_backend.parse() > return {'result': 'everything OK'} > > > Should one of these methods have worked, and I did it incorrectly ? > Otherwise, what would be the lower-impact solution to achieve this ? > (Yes, I understand the security concerns about sending passwords hashes > on the network but this choice does not depend on me) > > Many thanks in advance, > Sebastien. > I issue might be that the user has his userPassword migrated but he doesn't have krbPrincipalKey generated. If kerberos key is missing then it is automatically generated on successful LDAP bind (it's what ipa/migration page does) Additional info which might interest you: * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords -- Petr Vobornik From jan.karasek at elostech.cz Fri Jul 22 13:19:51 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Fri, 22 Jul 2016 15:19:51 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: References: <58ae7692-aaf4-224d-f1a0-d3d329c80e53@redhat.com> <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> <20160720160629.bietw7md672bm22c@redhat.com> <912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz> Message-ID: <148211644.2050248.1469193591355.JavaMail.zimbra@elostech.cz> Hi, thanks a lot for help guys. It's working now. I can successfully read POSIX attributes from AD. Just now I'am storring uidNumber, gidNumber, gecos, loginShell and unixHomeDirectory in AD. I have trouble with homedir. It's using subdomain_homedir from sssd.conf and not reflecting the value of unixHomeDirectory attribute. Is there any way to use value from AD not from subdomain_homedir template for this parameter ? Regards, Jan From: "Justin Stephenson" To: "Jan Kar?sek" , "Alexander Bokovoy" Cc: freeipa-users at redhat.com Sent: Thursday, July 21, 2016 3:54:25 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes Hello, You should remove the following from sssd.conf: [domain/example.tt] debug_level = 7 ldap_id_mapping = False id_provider = ad With the AD trust configuration, you do not need to specify any additional domain because IPA will contact AD across the trust using the external and POSIX groups you created during the trust setup. Once done try restarting sssd and removing the /var/lib/sss/db/* cache Kind regards, Justin Stephenson On 07/21/2016 07:56 AM, Jan Kar?sek wrote: BQ_BEGIN Thank you. Now I have IDMU installed and when creating trust, IPA is correctly autodetecting the range type: Range name: EXAMPLE.TT_id_range First Posix ID of the range: 10000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 Range type: Active Directory trust range with POSIX attributes When asking for uid of the AD user: [root at ipa1 sssd]# id user1 at example.tt uid=1392001119( user1 at example.tt ) gid=1392001119( user1 at example.tt ) groups=1392001119( user1 at example.tt ),1392000513(domain users at example.tt ),979000007(external_users) ... so ID-mapping is still in action. According to doc: To use existing POSIX attributes, two things must be configured: * The POSIX attributes must be published to Active Directory's global catalog. - done with uidNumber, gidNumber * ID mapping ( ldap_id_mapping in the Active Directory domain entry) must be disabled in SSSD. - done Here is my sssd.conf from IPA server. Is there anything else I should do to switch off ID-mapping ? [domain/a.example.tt] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = a.example.tt id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.a.example.tt chpass_provider = ipa ipa_server = ipa1.a.example.tt ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #subdomain_inherit = ldap_user_principal #ldap_user_principal = nosuchattribute [domain/example.tt] debug_level = 7 ldap_id_mapping = False id_provider = ad [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = a.example.tt, example.tt [nss] #debug_level = 5 #homedir_substring = /home enum_cache_timeout = 2 entry_negative_timeout = 2 [pam] #debug_level = 5 [sudo] [autofs] [ssh] #debug_level = 4 [pac] #debug_level = 4 [ifp] Regards, Jan From: "Alexander Bokovoy" To: "Jan Kar?sek" Cc: "Justin Stephenson" , freeipa-users at redhat.com Sent: Wednesday, July 20, 2016 6:06:29 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes On Wed, 20 Jul 2016, Jan Kar?sek wrote: >Hi, > >thank you. > >ldapsearch reply: > >search: 2 >result: 32 No such object >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best >match of: >'CN=RpcServices,CN=System,DC=rwe,DC=tt' > >actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. > >Do I missed to set something on the AD site ? Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft removed IDMU tools. The LDAP schema will stay but there will be no means to visually edit POSIX attributes. https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ > >Thanks, >Jan > > > > > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" >Cc: freeipa-users at redhat.com >Sent: Wednesday, July 20, 2016 4:09:02 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > >These attributes should be available from port 389 and not the global catalog, please try a command such as: > >ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber > >Replacing the root suffix in the search base, the ip-address and bind credentials. > >Kind regards, >Justin Stephenson > >On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > > > >Hi, > >thank you for the hint. > >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > >If I understand it right, it is base uid number and the number of uids in range. > >If not discovered nor given via CLI, then it generate random base and add some default_range_size. > >So these two attributes must be set to use ipa-ad-trust-posix range ? > >Could anybody help me how and where to check these attributes ? I have looked in the ldapsearch dump from my AD(Global calaog) and I can see these attributes only in schema - so no values assigned. >I'm using W2012 R2. > >Thank you, >Jan > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" , freeipa-users at redhat.com >Sent: Tuesday, July 19, 2016 8:36:00 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > >Hello, > >When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. > >You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > >I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. > >Kind regards, >Justin Stephenson > >On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > >BQ_BEGIN > >Hi, > >I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? > >I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. > >What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > >Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. > >There is almost no documentation about this topic so I don't know what else I can try ... > >Thanks for help, > >Jan > > > >Date: Tue, 21 Jun 2016 21:38:15 +0200 >From: Jakub Hrozek >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] AD trust with POSIX attributes >Message-ID: <20160621193815.GS29512 at hendrix> >Content-Type: text/plain; charset=iso-8859-1 > >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: >> Hi all, >> >> I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. >> >> I have set up trust with this parameters: >> >> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator > >Did you add the POSIX attributes to AD after creating the trust maybe? > >> >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range >> Range name: EXAMPLE.TT_id_range >> First Posix ID of the range: 1392000000 >> Number of IDs in the range: 200000 >> Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 >> Range type: Active Directory trust range with POSIX attributes >> >> >> I have set attributes in AD for user at EXAMPLE.TT >> - uidNumber -10000 >> - homeDirectory -/home/user >> - loginShell - /bin/bash >> >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. >> >> Problem is, that I am not getting uid from AD but from idrange: >> >> uid=1392001107( user at example.tt ) >> >> Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. > >This has no effect, in IPA-AD trust scenario, the id mapping properties >are managed on the server. > >> >> I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. > >I think idviews are better for overriding POSIX attributes for a >specific set of hosts, but in your environment, it sounds like you want >to use the POSIX attributes across the board. > >> >> So my questions are: >> >> Is it possible to read user's POSIX attributes directly from AD - namely uid ? > >Yes > >> Which atributes can be stored in AD ? > >Homedir is a bit special, for backwards compatibility the >subdomains_homedir takes precedence. The others should be read from AD. > >I don't have the environment set at the moment, though, so I'm operating >purely from memory. > >> Am I doing something wrong ? >> >> my sssd.conf: >> [domain/a.example.tt] >> debug_level = 5 >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = a.example.tt >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = ipa1.a.example.tt >> chpass_provider = ipa >> ipa_server = ipa1.a.example.tt >> ipa_server_mode = True >> ldap_tls_cacert = /etc/ipa/ca.crt >> #ldap_id_mapping = true >> #subdomain_inherit = ldap_user_principal >> #ldap_user_principal = nosuchattribute >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = a.example.tt >> [nss] >> debug_level = 5 >> homedir_substring = /home >> enum_cache_timeout = 2 >> entry_negative_timeout = 2 >> >> >> [pam] >> debug_level = 5 >> [sudo] >> >> [autofs] >> >> [ssh] >> debug_level = 4 >> [pac] >> >> debug_level = 4 >> [ifp] >> >> Thanks, >> Jan > > > > > > > > > > > > >BQ_END > > >-- >Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy BQ_END -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jul 22 13:24:36 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 22 Jul 2016 15:24:36 +0200 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: References: <20160722082829.GC22052@10.4.128.1> <20160722084148.GV20343@hendrix> Message-ID: <20160722132436.GW20343@hendrix> On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > My specific requirement for having "enumerate=TRUE" was , we have a build > server with the jenkins set up. > And for authentication jenkins tries to get the localusers on the system. I'm not sure what you mean by localusers, but does Jenkins really use some sort of interface that lists all users through the system interface? IIRC Jenkins is written in Java, so I would expect some native Java connector instead.. > > I should be able to get through that by configuring Jenkins to use LDAP > instead of the local users. > > But are there any other reasons for recommending against "enumerate=TRUE", > i recall reading somewhere as well not to use this specific setting. - performance - in general (because it's not the default and few people use enumeration), less tested than the defaul - idviews don't work - trusted AD users can't be enumerated at all From jian at traffics.de Fri Jul 22 13:34:13 2016 From: jian at traffics.de (Junhe Jian) Date: Fri, 22 Jul 2016 15:34:13 +0200 Subject: [Freeipa-users] change GID not work Message-ID: <061FC241309C8543AAC51450EE0CA595012BDD11DCFB@EX01.office.traffics-switch.de> Hello, i have a problem to change/set the GID. I create a new Group with a GID 999 in GUI not work. IPA generate a new GID within the Range. In Commandline the same ipa group-add --gid=999 --desc='Docker Group' docker -------------------- Added group "docker" -------------------- Group name: docker Description: Docker Group GID: 108600033 With group-mod the same ipa group-mod --gid=999 docker ----------------------- Modified group "docker" ----------------------- Group name: docker Description: Docker Group GID: 108600034 I want set to 999 because the host has the group docker with GID=999 I run freeipa 3.0.0 on centos 6.7 Can anybody help me? -- Best regards Junhe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4887 bytes Desc: not available URL: From linov.suresh at gmail.com Fri Jul 22 13:36:27 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Fri, 22 Jul 2016 09:36:27 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <5790F710.8040900@redhat.com> References: <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> Message-ID: I'm facing another issue now, my kerberos tickets are not renewing, *[root at caer ~]# ipa cert-show 1* ipa: ERROR: Ticket expired *[root at caer ~]# klist* Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at TELOIP.NET Valid starting Expires Service principal 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET 07/20/16 14:42:36 07/21/16 14:42:22 HTTP/caer.teloip.net at TELOIP.NET 07/21/16 11:40:15 07/21/16 14:42:22 ldap/caer.teloip.net at TELOIP.NET I need to manually renew the tickets every day, *[root at caer ~]# kinit admin* Password for admin at TELOIP.NET: Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016 *[root at caer ~]# klist * Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at TELOIP.NET Valid starting Expires Service principal 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> The httpd_error log doesn't contain the part where `ipa cert-show 1` was >> run. If it is from the same time. >> >> *I am not sure about that, please see httpd_error when `ipa cert-show 1` >> was run* >> > > The IPA API log isn't going to show much in this case. > > Requests to the CA are proxied through IPA. The CA WAR is not running on > tomcat so when Apache tries to proxy the request tomcat returns a 404, Not > Found. > > You need to start with the dogtag debug and selftest logs to see what is > going on. The logs are pretty verbose and can be challenging to read. > > rob > > >> [root at caer ~]# *tail -f /var/log/httpd/error_log* >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> wsgi_dispatch.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> xmlserver_session.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id = >> bc2c7ed0eccd840dc266efaf9ece913c >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in >> cache with id=bc2c7ed0eccd840dc266efaf9ece913c >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c >> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 >> expiration_timestamp=2016-07-21T12:18:54 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into >> file "/var/run/ipa_memcached/krbcc_13554" >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: >> principal=HTTP/caer.teloip.net at TELOIP.NET >> , authtime=07/21/16 10:31:46, >> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >> renew_till=12/31/69 19:00:00 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: >> principal=HTTP/caer.teloip.net at TELOIP.NET >> , authtime=07/21/16 10:31:46, >> >> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >> renew_till=12/31/69 19:00:00 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache >> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16 >> 10:31:44) >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> set_session_expiration_time: duration_type=inactivity_timeout >> duration=1200 max_age=1469197604 expiration=1469118081.77 >> (2016-07-21T12:21:21) >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection >> context.ldap2 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> WSGIExecutioner.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1') >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1') >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify >> retrieve certificate >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> ipaserver.plugins.dogtag.ra.get_certificate() >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request >> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post >> 'xml=true&serialNumber=1' >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init >> caer.teloip.net >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0 >> >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> auth_certificate_callback: check_sig=True is_server=False >> *.* >> *.* >> *.* >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for >> "CN=caer.teloip.net ,O=TELOIP.NET >> " >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer >> = 10.20.0.75:443 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> auth_certificate_callback: check_sig=True is_server=False >> *.* >> *.* >> *.* >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for >> "CN=caer.teloip.net ,O=TELOIP.NET >> " >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer >> = 10.20.0.75:443 >> [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate >> with CMS (Not Found) >> [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: admin at TELOIP.NET >> : cert_show(u'1'): CertificateOperationError >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Not Found) >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from >> file "/var/run/ipa_memcached/krbcc_13554" >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: >> session_id=bc2c7ed0eccd840dc266efaf9ece913c >> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 >> expiration_timestamp=2016-07-21T12:21:21 >> >> >> Does `ipa cert-show` communicate with the same replica? Could be >> verified by `ipa -vv cert-show` >> >> *It's asking for the serial number of the certificate. If I give 64 >> (serial number of ipaCert ), I get ipa: ERROR: Certificate operation >> cannot be completed: Unable to communicate with CMS (Not Found)* >> >> *[root at caer ~]# ipa -vv cert-show* >> ipa: DEBUG: importing all plugin modules in >> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >> *.* >> *.* >> *.* >> ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net ; Path=/ipa; Expires=Thu, >> 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly >> ipa: DEBUG: stderr= >> ipa: DEBUG: found session_cookie in persistent storage for principal >> 'admin at TELOIP.NET ', cookie: >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32 >> GMT; Secure; HttpOnly' >> ipa: DEBUG: setting session_cookie into context >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' >> ipa: INFO: trying https://caer.teloip.net/ipa/session/xml >> ipa: DEBUG: Created connection context.xmlclient >> Serial number: 64 >> ipa: DEBUG: raw: cert_show(u'64') >> ipa: DEBUG: cert_show(u'64') >> ipa: INFO: Forwarding 'cert_show' to server >> u'https://caer.teloip.net/ipa/session/xml' >> ipa: DEBUG: NSSConnection init caer.teloip.net >> ipa: DEBUG: Connecting: 10.20.0.75:0 >> send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: caer.teloip.net >> \r\nAccept-Language: en-us\r\nReferer: >> https://caer.teloip.net/ipa/xml\r\nCookie: >> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: >> xmlrpclib.py/1.0.1 (by www.pythonware.com >> )\r\nContent-Type: >> text/xml\r\nContent-Length: 268\r\n\r\n' >> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False >> *.* >> *.* >> *.* >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=caer.teloip.net >> ,O=TELOIP.NET " >> ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 >> >> send: "> >> encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" >> reply: 'HTTP/1.1 200 Success\r\n' >> header: Date: Thu, 21 Jul 2016 16:05:40 GMT >> header: Server: Apache/2.2.15 (CentOS) >> header: Set-Cookie: ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net ; Path=/ipa; Expires=Thu, >> 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly >> header: Connection: close >> header: Content-Type: text/xml; charset=utf-8 >> ipa: DEBUG: received Set-Cookie >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 >> GMT; Secure; HttpOnly' >> ipa: DEBUG: storing cookie >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 >> GMT; Secure; HttpOnly' for principal admin at TELOIP.NET >> >> ipa: DEBUG: args=keyctl search @s user >> ipa_session_cookie:admin at TELOIP.NET >> >> ipa: DEBUG: stdout=457971704 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl search @s user >> ipa_session_cookie:admin at TELOIP.NET >> >> ipa: DEBUG: stdout=457971704 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl pupdate 457971704 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> body: "> >> encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate >> operation cannot be completed: Unable to communicate with CMS (Not >> >> Found)\n\n\n\n\n" >> ipa: DEBUG: Caught fault 4301 from server >> https://caer.teloip.net/ipa/session/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Not Found) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> [root at caer ~]# >> >> >> But more interesting is: SelfTestSubsystem: The CRITICAL self test >> plugin called selftests.container.instance.SystemCertsVerification >> running at startup FAILED! >> >> Are you sure that CA is running? >> # ipactl status >> *Yes, CA is runnig, * >> >> *[root at caer ~]# ipactl status* >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> DNS Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> This looks like that self test fail and therefore CA shouldn't start. It >> also says that some of CA cert is not valid. Which one might be seen in >> /var/log/pki-ca/debug but a bigger chunk would be needed. >> >> *[root at caer ~]# tail -100 /var/log/pki-ca/debug * >> >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721114829Z >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In DBVirtualList filter >> attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: >> [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, >> x509cert] pageSize -200 startFrom 20160721114829Z >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 2 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 3 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries returning 0 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting Virtual List >> size: 0 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be empty >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: updateCertStatus done >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting cert checkRanges >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in >> range: 268369849 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 71 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers >> available: 268369849 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert checkRanges done >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting request >> checkRanges >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in >> range: 9989888 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 112 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers >> available: 9989888 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request checkRanges done >> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password >> store initialized before. >> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password >> store initialized. >> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password >> store initialized before. >> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password >> store initialized. >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start >> updateCertStatus >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >> updateCertStatus (entered lock) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In updateCertStatus() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getInvalidCertificatesByNotBeforeDate filter (certStatus=INVALID) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getInvalidCertificatesByNotBeforeDate: about to call findCertRecordsInList >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter >> attrs startFrom sortKey pageSize filter: (certStatus=INVALID) attrs: >> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >> 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> getInvalidCertsByNotBeforeDate finally. >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 3 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List >> size: 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getValidCertsByNotAfterDate filter (certStatus=VALID) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter >> attrs startFrom sortKey pageSize filter: (certStatus=VALID) attrs: >> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >> 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 3 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List >> size: 14 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> transidValidCertificates: list size: 14 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> transitValidCertificates: ltSize 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getElementAt: 0 mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse direction >> getting index 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not >> qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul 21 11:58:29 >> EDT 2016 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transitCertList EXPIRED >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter >> attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: >> [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, >> x509cert] pageSize -200 startFrom 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now >> 3 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List >> size: 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: updateCertStatus done >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting cert checkRanges >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in >> range: 268369849 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 71 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers >> available: 268369849 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert checkRanges done >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting request >> checkRanges >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in >> range: 9989888 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 112 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers >> available: 9989888 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request checkRanges done >> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password >> store initialized before. >> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password >> store initialized. >> >> On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik > > wrote: >> >> On 07/21/2016 05:14 PM, Linov Suresh wrote: >> > I set debug=true in /etc/ipa/default.conf >> > >> > Here are my logs, >> >> The httpd_error log doesn't contain the part where `ipa cert-show 1` >> was >> run. If it is from the same time. Does `ipa cert-show` communicate >> with >> the same replica? Could be verified by `ipa -vv cert-show` >> >> But more interesting is: >> >> SelfTestSubsystem: The CRITICAL self test plugin called >> selftests.container.instance.SystemCertsVerification running at >> startup >> FAILED! >> >> Are you sure that CA is running? >> # ipactl status >> >> This looks like that self test fail and therefore CA shouldn't start. >> It >> also says that some of CA cert is not valid. Which one might be seen >> in >> /var/log/pki-ca/debug but a bigger chunk would be needed. >> >> > >> > *[root at caer ~]# tail -f /var/log/httpd/error_log* >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI >> WSGIExecutioner.__call__: >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: >> user_show(u'admin', >> > rights=False, all=False, raw=False, version=u'2.46') >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> user_show(u'admin', rights=False, >> > all=False, raw=False, version=u'2.46') >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: >> > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net >> > >> >> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=replication >> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=modify replication >> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=remove >> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=unlock user >> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=manage >> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=trust >> admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=host >> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=manage host >> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=enroll a >> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add host >> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > krbprincipalname to a >> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result >> > >> >> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=trust >> admins,cn=groups,cn=accounts,dc=teloip,dc=net')] >> > indirect=[ipapython.dn.DN('cn=replication >> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=modify replication >> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=remove >> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=unlock user >> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=manage >> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=host >> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=manage host >> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=enroll a >> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add host >> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > krbprincipalname to a >> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >> > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET >> >> > >: >> >> user_show(u'admin', rights=False, all=False, >> > raw=False, version=u'2.46'): SUCCESS >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries >> returned 1 >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data >> from file >> > "/var/run/ipa_memcached/krbcc_13554" >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: >> > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d >> start_timestamp=2016-07-21T10:43:26 >> > access_timestamp=2016-07-21T11:00:38 >> expiration_timestamp=2016-07-21T11:20:38 >> > >> > *[root at caer ~]# tail -f /var/log/pki-ca/debug* >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: >> curReqId: 9990001 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 >> mTop 107 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction >> getting index 4 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: >> curReqId: 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: >> getLastRequestId : >> > returning value 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: >> mLastSerialNo: 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left >> in range: >> > 9989888 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: >> 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers >> available: 9989888 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges >> done >> > >> > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* >> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: >> 7/20/16 5:00 PM >> > next update time: 7/20/16 9:00 PM Number of entries in the CRL: >> 11 time: 25 CRL >> > time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25) >> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: >> 7/20/16 9:00 PM >> > next update time: 7/21/16 1:00 AM Number of entries in the CRL: >> 11 time: 11 CRL >> > time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11) >> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: >> 7/21/16 1:00 AM >> > next update time: 7/21/16 5:00 AM Number of entries in the CRL: >> 11 time: 13 CRL >> > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) >> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: >> 7/21/16 5:00 AM >> > next update time: 7/21/16 9:00 AM Number of entries in the CRL: >> 11 time: 16 CRL >> > time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16) >> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: >> 7/21/16 9:00 AM >> > next update time: 7/21/16 1:00 PM Number of entries in the CRL: >> 11 time: 13 CRL >> > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) >> > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal >> reqID 112 >> > fromAgent userID: ipara authenticated by certUserDBAuthMgr is >> completed DN >> > requested: CN=CA Audit,O=TELOIP.NET >> cert issued serial >> > number: 0x47 time: 39 >> > >> > *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading all >> > self test plugin logger parameters >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading all >> > self test plugin instances >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading all >> > self test plugin instance parameters >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading >> > self test plugins in on-demand order >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading >> > self test plugins in startup order >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: >> Self test >> > plugins have been successfully loaded! >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: >> Running self >> > test plugins specified to be executed at startup: >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is >> present >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >> SystemCertsVerification: system >> > certs verification failure >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: >> The CRITICAL >> > self test plugin called >> selftests.container.instance.SystemCertsVerification >> > running at startup FAILED! >> > >> > But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: >> ERROR: >> > Certificate operation cannot be completed: Unable to communicate >> with CMS (Not >> > Found)*" >> > >> > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh < >> linov.suresh at gmail.com >> > >> >> wrote: >> > >> > This could be because of incorrect trust attributes trust on the >> > certificates, the current attributes are, >> > >> > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias >> > >> > Certificate Nickname >> Trust Attributes >> > >> SSL,S/MIME,JAR/XPI >> > >> > ocspSigningCert cert-pki-ca >> u,u,Pu >> > subsystemCert cert-pki-ca >> u,u,Pu >> > caSigningCert cert-pki-ca >> CTu,Cu,Cu >> > subsystemCert cert-pki-ca >> u,u,Pu >> > Server-Cert cert-pki-ca >> u,u,u >> > auditSigningCert cert-pki-ca >> u,u,Pu >> > >> > I'm going to fix the trust attributes and try. >> > >> > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik < >> pvoborni at redhat.com >> > >> >> wrote: >> > >> > On 07/20/2016 09:41 PM, Linov Suresh wrote: >> > > I have restarted the pki-cad and checked if >> communication with the CA is >> > > working, but no luck, >> > > >> > > Debug logs in /var/log/pki-ca do not have anything >> unusual. Can you think of >> > > anything other than this? >> > >> > /var/log/httpd/error_log when /etc/ipa.conf is set to >> debug=true >> > >> >> https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data >> > >> > /var/log/pki-ca/debug >> > /var/log/pki-ca/transactions >> > /var/log/pki-ca/selftest.log >> > >> > > >> > > [root at caer ~]# ipa cert-show 1 >> > > Certificate: >> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP >> > > >> SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 >> > > >> MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w >> > > >> HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA >> > > >> A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV >> > > >> ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e >> > > >> tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb >> > > >> UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe >> > > >> tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 >> > > >> 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j >> > > >> BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV >> > > >> HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG >> > > >> AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 >> > > >> MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj >> > > >> kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y >> > > >> 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV >> > > >> nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt >> > > >> e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK >> > > >> b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= >> > > Subject: CN=Certificate Authority,O=TELOIP.NET >> >> > >> > > Issuer: CN=Certificate Authority,O=TELOIP.NET >> >> > >> > > Not Before: Wed Dec 14 22:29:56 2011 UTC >> > > Not After: Sat Dec 14 22:29:56 2019 UTC >> > > Fingerprint (MD5): >> c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a >> > > Fingerprint (SHA1): >> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e >> > > Serial number (hex): 0x1 >> > > Serial number: 1 >> > > [root at caer ~]# >> > > >> > > *ca-error: Internal error: no response to >> > > >> > >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > > * >> > > >> > > >> > > >> > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden >> >> > >> > > >> >>> wrote: >> > > >> > > Linov Suresh wrote: >> > > >> > > Thanks for your help Rob, I will create a >> separate thread for IPA >> > > replication issue. But we are still getting >> > > * >> > > * >> > > *ca-error: Internal error: no response to >> > > >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ".* >> > > >> > > Could you please help us to fix this? >> > > >> > > >> > > I think your CA isn't quite fixed yet. I'd restart >> pki-cad then do something >> > > like: ipa cert-show 1 >> > > >> > > You should get back a cert (doesn't really matter >> what cert). >> > > >> > > Otherwise I'd check the CA debug log somewhere in >> /var/log/pki >> > > >> > > rob >> > > >> >> >> -- >> Petr Vobornik >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Fri Jul 22 14:00:00 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Fri, 22 Jul 2016 19:30:00 +0530 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: <20160722132436.GW20343@hendrix> References: <20160722082829.GC22052@10.4.128.1> <20160722084148.GV20343@hendrix> <20160722132436.GW20343@hendrix> Message-ID: under the "configure global security part" of jenkins, we can specify how jenkins will fetch users for authentication. One option is "Unix user/group database" . wherein, it will do a getent passwd and fetch users from there. Other is to specify ldap. There are few other ways as well but haven't explored it yet. Thanks Rakesh On Fri, Jul 22, 2016 at 6:54 PM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > > My specific requirement for having "enumerate=TRUE" was , we have a build > > server with the jenkins set up. > > And for authentication jenkins tries to get the localusers on the system. > > I'm not sure what you mean by localusers, but does Jenkins really use > some sort of interface that lists all users through the system > interface? IIRC Jenkins is written in Java, so I would expect some > native Java connector instead.. > > > > > I should be able to get through that by configuring Jenkins to use LDAP > > instead of the local users. > > > > But are there any other reasons for recommending against > "enumerate=TRUE", > > i recall reading somewhere as well not to use this specific setting. > > - performance > - in general (because it's not the default and few people use > enumeration), less tested than the defaul > - idviews don't work > - trusted AD users can't be enumerated at all > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at pakos.uk Fri Jul 22 14:04:01 2016 From: peter at pakos.uk (Peter Pakos) Date: Fri, 22 Jul 2016 15:04:01 +0100 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups Message-ID: Jakub Hrozek wrote: > I'm glad it works now, but why did you choose to use the LDAP back end > over the IPA back end? By using LDAP, you gain the ability to not enroll > clients with ipa-client-install, but you loose the ease of > manageability, HBAC, easy SUDO integration, not to mention you need to > put passwords into the config file.. > > Well, we wanted a quick solution for migrating all our servers (a mixture of Centos, Debian, SLES, Ubuntu) from using SSSD with an old LDAP server to auth against FreeIPA. Since we have all our servers puppetized and using sudoers files, it was the best approach I could think of. Can you think of a better way of tackling this? Now that the dust settles down after the migration, we started enrolling infrastructure servers to FreeIPA using ipa-client-install. -- Kind regards, Peter Pakos -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 22 14:07:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2016 10:07:36 -0400 Subject: [Freeipa-users] change GID not work In-Reply-To: <061FC241309C8543AAC51450EE0CA595012BDD11DCFB@EX01.office.traffics-switch.de> References: <061FC241309C8543AAC51450EE0CA595012BDD11DCFB@EX01.office.traffics-switch.de> Message-ID: <579228A8.4040309@redhat.com> Junhe Jian wrote: > Hello, > > i have a problem to change/set the GID. > > I create a new Group with a GID 999 in GUI not work. IPA generate a new > GID within the Range. You are running into https://fedorahosted.org/freeipa/ticket/2886 This is fixed in freeIPA 3.2. Basically 999 was the "magic" number that IPA used to know when to generate an ID value (as opposed to using one requested by the user). I don't believe there is a workaround for this. rob From linov.suresh at gmail.com Fri Jul 22 14:15:06 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Fri, 22 Jul 2016 10:15:06 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> Message-ID: Could you please verify, if we have set correct trust attributes on the certificates *root at caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu *[root at caer ~]# certutil -d /etc/httpd/alias/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u TELOIP.NET IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Server-Cert u,u,u *[root at caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u TELOIP.NET IPA CA CT,,C Server-Cert u,u,u [root at caer ~]# *Please note, there are duplicate certificates in CA, HTTP and LDAP directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was wondering if we need to remove these duplicate certificates? * On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh wrote: > I'm facing another issue now, my kerberos tickets are not renewing, > > *[root at caer ~]# ipa cert-show 1* > ipa: ERROR: Ticket expired > > *[root at caer ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > Valid starting Expires Service principal > 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET > 07/20/16 14:42:36 07/21/16 14:42:22 HTTP/caer.teloip.net at TELOIP.NET > 07/21/16 11:40:15 07/21/16 14:42:22 ldap/caer.teloip.net at TELOIP.NET > > I need to manually renew the tickets every day, > > *[root at caer ~]# kinit admin* > Password for admin at TELOIP.NET: > Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016 > > *[root at caer ~]# klist * > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > Valid starting Expires Service principal > 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET > > > On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden > wrote: > >> Linov Suresh wrote: >> >>> The httpd_error log doesn't contain the part where `ipa cert-show 1` was >>> run. If it is from the same time. >>> >>> *I am not sure about that, please see httpd_error when `ipa cert-show 1` >>> was run* >>> >> >> The IPA API log isn't going to show much in this case. >> >> Requests to the CA are proxied through IPA. The CA WAR is not running on >> tomcat so when Apache tries to proxy the request tomcat returns a 404, Not >> Found. >> >> You need to start with the dogtag debug and selftest logs to see what is >> going on. The logs are pretty verbose and can be challenging to read. >> >> rob >> >> >>> [root at caer ~]# *tail -f /var/log/httpd/error_log* >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> wsgi_dispatch.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> xmlserver_session.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id = >>> bc2c7ed0eccd840dc266efaf9ece913c >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in >>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c >>> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 >>> expiration_timestamp=2016-07-21T12:18:54 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into >>> file "/var/run/ipa_memcached/krbcc_13554" >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: >>> principal=HTTP/caer.teloip.net at TELOIP.NET >>> , authtime=07/21/16 10:31:46, >>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >>> renew_till=12/31/69 19:00:00 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times: >>> principal=HTTP/caer.teloip.net at TELOIP.NET >>> , authtime=07/21/16 10:31:46, >>> >>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >>> renew_till=12/31/69 19:00:00 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache >>> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16 >>> 10:31:44) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> set_session_expiration_time: duration_type=inactivity_timeout >>> duration=1200 max_age=1469197604 expiration=1469118081.77 >>> (2016-07-21T12:21:21) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection >>> context.ldap2 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> WSGIExecutioner.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1') >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1') >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify >>> retrieve certificate >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> ipaserver.plugins.dogtag.ra.get_certificate() >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request >>> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post >>> 'xml=true&serialNumber=1' >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init >>> caer.teloip.net >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0 >>> >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> auth_certificate_callback: check_sig=True is_server=False >>> *.* >>> *.* >>> *.* >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = >>> SSLServer intended_usage = SSLServer >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for >>> "CN=caer.teloip.net ,O=TELOIP.NET >>> " >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer >>> = 10.20.0.75:443 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> auth_certificate_callback: check_sig=True is_server=False >>> *.* >>> *.* >>> *.* >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = >>> SSLServer intended_usage = SSLServer >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for >>> "CN=caer.teloip.net ,O=TELOIP.NET >>> " >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer >>> = 10.20.0.75:443 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: >>> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate >>> with CMS (Not Found) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: admin at TELOIP.NET >>> : cert_show(u'1'): CertificateOperationError >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: >>> CertificateOperationError: Certificate operation cannot be completed: >>> Unable to communicate with CMS (Not Found) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection >>> context.ldap2 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from >>> file "/var/run/ipa_memcached/krbcc_13554" >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: >>> session_id=bc2c7ed0eccd840dc266efaf9ece913c >>> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21 >>> expiration_timestamp=2016-07-21T12:21:21 >>> >>> >>> Does `ipa cert-show` communicate with the same replica? Could be >>> verified by `ipa -vv cert-show` >>> >>> *It's asking for the serial number of the certificate. If I give 64 >>> (serial number of ipaCert ), I get ipa: ERROR: Certificate operation >>> cannot be completed: Unable to communicate with CMS (Not Found)* >>> >>> *[root at caer ~]# ipa -vv cert-show* >>> ipa: DEBUG: importing all plugin modules in >>> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >>> *.* >>> *.* >>> *.* >>> ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net ; Path=/ipa; Expires=Thu, >>> 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: found session_cookie in persistent storage for principal >>> 'admin at TELOIP.NET ', cookie: >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32 >>> GMT; Secure; HttpOnly' >>> ipa: DEBUG: setting session_cookie into context >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' >>> ipa: INFO: trying https://caer.teloip.net/ipa/session/xml >>> ipa: DEBUG: Created connection context.xmlclient >>> Serial number: 64 >>> ipa: DEBUG: raw: cert_show(u'64') >>> ipa: DEBUG: cert_show(u'64') >>> ipa: INFO: Forwarding 'cert_show' to server >>> u'https://caer.teloip.net/ipa/session/xml' >>> ipa: DEBUG: NSSConnection init caer.teloip.net >>> ipa: DEBUG: Connecting: 10.20.0.75:0 >>> send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: caer.teloip.net >>> \r\nAccept-Language: en-us\r\nReferer: >>> https://caer.teloip.net/ipa/xml\r\nCookie: >>> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: >>> xmlrpclib.py/1.0.1 (by www.pythonware.com >>> )\r\nContent-Type: >>> text/xml\r\nContent-Length: 268\r\n\r\n' >>> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False >>> *.* >>> *.* >>> *.* >>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >>> ipa: DEBUG: cert valid True for "CN=caer.teloip.net >>> ,O=TELOIP.NET " >>> ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 >>> >>> send: ">> >>> encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" >>> reply: 'HTTP/1.1 200 Success\r\n' >>> header: Date: Thu, 21 Jul 2016 16:05:40 GMT >>> header: Server: Apache/2.2.15 (CentOS) >>> header: Set-Cookie: ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net ; Path=/ipa; Expires=Thu, >>> 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly >>> header: Connection: close >>> header: Content-Type: text/xml; charset=utf-8 >>> ipa: DEBUG: received Set-Cookie >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 >>> GMT; Secure; HttpOnly' >>> ipa: DEBUG: storing cookie >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40 >>> GMT; Secure; HttpOnly' for principal admin at TELOIP.NET >>> >>> ipa: DEBUG: args=keyctl search @s user >>> ipa_session_cookie:admin at TELOIP.NET >>> >>> ipa: DEBUG: stdout=457971704 >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: args=keyctl search @s user >>> ipa_session_cookie:admin at TELOIP.NET >>> >>> ipa: DEBUG: stdout=457971704 >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: args=keyctl pupdate 457971704 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> body: ">> >>> encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate >>> operation cannot be completed: Unable to communicate with CMS (Not >>> >>> Found)\n\n\n\n\n" >>> ipa: DEBUG: Caught fault 4301 from server >>> https://caer.teloip.net/ipa/session/xml: Certificate operation cannot be >>> completed: Unable to communicate with CMS (Not Found) >>> ipa: DEBUG: Destroyed connection context.xmlclient >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found) >>> [root at caer ~]# >>> >>> >>> But more interesting is: SelfTestSubsystem: The CRITICAL self test >>> plugin called selftests.container.instance.SystemCertsVerification >>> running at startup FAILED! >>> >>> Are you sure that CA is running? >>> # ipactl status >>> *Yes, CA is runnig, * >>> >>> *[root at caer ~]# ipactl status* >>> Directory Service: RUNNING >>> KDC Service: RUNNING >>> KPASSWD Service: RUNNING >>> DNS Service: RUNNING >>> MEMCACHE Service: RUNNING >>> HTTP Service: RUNNING >>> CA Service: RUNNING >>> >>> This looks like that self test fail and therefore CA shouldn't start. It >>> also says that some of CA cert is not valid. Which one might be seen in >>> /var/log/pki-ca/debug but a bigger chunk would be needed. >>> >>> *[root at caer ~]# tail -100 /var/log/pki-ca/debug * >>> >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721114829Z >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: >>> [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, >>> x509cert] pageSize -200 startFrom 20160721114829Z >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 2 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 3 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries returning 0 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting Virtual List >>> size: 0 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be empty >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: updateCertStatus done >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting cert checkRanges >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in >>> range: 268369849 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 71 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers >>> available: 268369849 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert checkRanges done >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting request >>> checkRanges >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in >>> range: 9989888 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 112 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers >>> available: 9989888 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request checkRanges done >>> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password >>> store initialized before. >>> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password >>> store initialized. >>> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password >>> store initialized before. >>> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password >>> store initialized. >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start >>> updateCertStatus >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >>> updateCertStatus (entered lock) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In updateCertStatus() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getInvalidCertificatesByNotBeforeDate filter (certStatus=INVALID) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getInvalidCertificatesByNotBeforeDate: about to call >>> findCertRecordsInList >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: (certStatus=INVALID) attrs: >>> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >>> 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> getInvalidCertsByNotBeforeDate finally. >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 3 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List >>> size: 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getValidCertsByNotAfterDate filter (certStatus=VALID) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: (certStatus=VALID) attrs: >>> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >>> 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 3 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List >>> size: 14 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> transidValidCertificates: list size: 14 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> transitValidCertificates: ltSize 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getElementAt: 0 mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse direction >>> getting index 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not >>> qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul 21 11:58:29 >>> EDT 2016 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transitCertList EXPIRED >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs: >>> [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter, >>> x509cert] pageSize -200 startFrom 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns >>> now 3 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List >>> size: 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: updateCertStatus done >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting cert checkRanges >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in >>> range: 268369849 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 71 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers >>> available: 268369849 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert checkRanges done >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting request >>> checkRanges >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in >>> range: 9989888 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 112 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers >>> available: 9989888 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request checkRanges done >>> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password >>> store initialized before. >>> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password >>> store initialized. >>> >>> On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik >> > wrote: >>> >>> On 07/21/2016 05:14 PM, Linov Suresh wrote: >>> > I set debug=true in /etc/ipa/default.conf >>> > >>> > Here are my logs, >>> >>> The httpd_error log doesn't contain the part where `ipa cert-show 1` >>> was >>> run. If it is from the same time. Does `ipa cert-show` communicate >>> with >>> the same replica? Could be verified by `ipa -vv cert-show` >>> >>> But more interesting is: >>> >>> SelfTestSubsystem: The CRITICAL self test plugin called >>> selftests.container.instance.SystemCertsVerification running at >>> startup >>> FAILED! >>> >>> Are you sure that CA is running? >>> # ipactl status >>> >>> This looks like that self test fail and therefore CA shouldn't >>> start. It >>> also says that some of CA cert is not valid. Which one might be seen >>> in >>> /var/log/pki-ca/debug but a bigger chunk would be needed. >>> >>> > >>> > *[root at caer ~]# tail -f /var/log/httpd/error_log* >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI >>> WSGIExecutioner.__call__: >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: >>> user_show(u'admin', >>> > rights=False, all=False, raw=False, version=u'2.46') >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> user_show(u'admin', rights=False, >>> > all=False, raw=False, version=u'2.46') >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: >>> > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net >>> > >>> >>> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=replication >>> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=modify replication >>> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=remove >>> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=unlock user >>> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=manage >>> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=trust >>> admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=host >>> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=manage host >>> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=enroll a >>> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add host >>> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > krbprincipalname to a >>> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: >>> result >>> > >>> >>> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=trust >>> admins,cn=groups,cn=accounts,dc=teloip,dc=net')] >>> > indirect=[ipapython.dn.DN('cn=replication >>> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=modify replication >>> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=remove >>> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=unlock user >>> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=manage >>> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=host >>> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=manage host >>> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=enroll a >>> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add host >>> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > krbprincipalname to a >>> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET >>> >>> > >: >>> >>> user_show(u'admin', rights=False, all=False, >>> > raw=False, version=u'2.46'): SUCCESS >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries >>> returned 1 >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed >>> connection context.ldap2 >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data >>> from file >>> > "/var/run/ipa_memcached/krbcc_13554" >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: >>> > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d >>> start_timestamp=2016-07-21T10:43:26 >>> > access_timestamp=2016-07-21T11:00:38 >>> expiration_timestamp=2016-07-21T11:20:38 >>> > >>> > *[root at caer ~]# tail -f /var/log/pki-ca/debug* >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: >>> curReqId: 9990001 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 >>> mTop 107 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction >>> getting index 4 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: >>> curReqId: 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: >>> getLastRequestId : >>> > returning value 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: >>> mLastSerialNo: 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers >>> left in range: >>> > 9989888 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial >>> Number: 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers >>> available: 9989888 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request >>> checkRanges done >>> > >>> > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* >>> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: >>> 7/20/16 5:00 PM >>> > next update time: 7/20/16 9:00 PM Number of entries in the CRL: >>> 11 time: 25 CRL >>> > time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25) >>> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: >>> 7/20/16 9:00 PM >>> > next update time: 7/21/16 1:00 AM Number of entries in the CRL: >>> 11 time: 11 CRL >>> > time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11) >>> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: >>> 7/21/16 1:00 AM >>> > next update time: 7/21/16 5:00 AM Number of entries in the CRL: >>> 11 time: 13 CRL >>> > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) >>> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: >>> 7/21/16 5:00 AM >>> > next update time: 7/21/16 9:00 AM Number of entries in the CRL: >>> 11 time: 16 CRL >>> > time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16) >>> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: >>> 7/21/16 9:00 AM >>> > next update time: 7/21/16 1:00 PM Number of entries in the CRL: >>> 11 time: 13 CRL >>> > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13) >>> > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal >>> reqID 112 >>> > fromAgent userID: ipara authenticated by certUserDBAuthMgr is >>> completed DN >>> > requested: CN=CA Audit,O=TELOIP.NET >>> cert issued serial >>> > number: 0x47 time: 39 >>> > >>> > *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading all >>> > self test plugin logger parameters >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading all >>> > self test plugin instances >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading all >>> > self test plugin instance parameters >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading >>> > self test plugins in on-demand order >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading >>> > self test plugins in startup order >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: Self test >>> > plugins have been successfully loaded! >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> SelfTestSubsystem: Running self >>> > test plugins specified to be executed at startup: >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA >>> is present >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> SystemCertsVerification: system >>> > certs verification failure >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> SelfTestSubsystem: The CRITICAL >>> > self test plugin called >>> selftests.container.instance.SystemCertsVerification >>> > running at startup FAILED! >>> > >>> > But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: >>> ERROR: >>> > Certificate operation cannot be completed: Unable to communicate >>> with CMS (Not >>> > Found)*" >>> > >>> > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh < >>> linov.suresh at gmail.com >>> > >> >>> wrote: >>> > >>> > This could be because of incorrect trust attributes trust on >>> the >>> > certificates, the current attributes are, >>> > >>> > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias >>> > >>> > Certificate Nickname >>> Trust Attributes >>> > >>> SSL,S/MIME,JAR/XPI >>> > >>> > ocspSigningCert cert-pki-ca >>> u,u,Pu >>> > subsystemCert cert-pki-ca >>> u,u,Pu >>> > caSigningCert cert-pki-ca >>> CTu,Cu,Cu >>> > subsystemCert cert-pki-ca >>> u,u,Pu >>> > Server-Cert cert-pki-ca >>> u,u,u >>> > auditSigningCert cert-pki-ca >>> u,u,Pu >>> > >>> > I'm going to fix the trust attributes and try. >>> > >>> > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik < >>> pvoborni at redhat.com >>> > >> >>> wrote: >>> > >>> > On 07/20/2016 09:41 PM, Linov Suresh wrote: >>> > > I have restarted the pki-cad and checked if >>> communication with the CA is >>> > > working, but no luck, >>> > > >>> > > Debug logs in /var/log/pki-ca do not have anything >>> unusual. Can you think of >>> > > anything other than this? >>> > >>> > /var/log/httpd/error_log when /etc/ipa.conf is set to >>> debug=true >>> > >>> >>> https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data >>> > >>> > /var/log/pki-ca/debug >>> > /var/log/pki-ca/transactions >>> > /var/log/pki-ca/selftest.log >>> > >>> > > >>> > > [root at caer ~]# ipa cert-show 1 >>> > > Certificate: >>> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP >>> > > >>> SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 >>> > > >>> MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w >>> > > >>> HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA >>> > > >>> A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV >>> > > >>> ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e >>> > > >>> tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb >>> > > >>> UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe >>> > > >>> tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 >>> > > >>> 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j >>> > > >>> BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV >>> > > >>> HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG >>> > > >>> AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 >>> > > >>> MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj >>> > > >>> kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y >>> > > >>> 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV >>> > > >>> nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt >>> > > >>> e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK >>> > > >>> b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= >>> > > Subject: CN=Certificate Authority,O=TELOIP.NET >>> >>> > >>> > > Issuer: CN=Certificate Authority,O=TELOIP.NET >>> >>> > >>> > > Not Before: Wed Dec 14 22:29:56 2011 UTC >>> > > Not After: Sat Dec 14 22:29:56 2019 UTC >>> > > Fingerprint (MD5): >>> c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a >>> > > Fingerprint (SHA1): >>> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e >>> > > Serial number (hex): 0x1 >>> > > Serial number: 1 >>> > > [root at caer ~]# >>> > > >>> > > *ca-error: Internal error: no response to >>> > > >>> > >>> " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > > * >>> > > >>> > > >>> > > >>> > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden >>> >>> > >>> > > >>> >>> wrote: >>> > > >>> > > Linov Suresh wrote: >>> > > >>> > > Thanks for your help Rob, I will create a >>> separate thread for IPA >>> > > replication issue. But we are still getting >>> > > * >>> > > * >>> > > *ca-error: Internal error: no response to >>> > > >>> " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ".* >>> > > >>> > > Could you please help us to fix this? >>> > > >>> > > >>> > > I think your CA isn't quite fixed yet. I'd restart >>> pki-cad then do something >>> > > like: ipa cert-show 1 >>> > > >>> > > You should get back a cert (doesn't really matter >>> what cert). >>> > > >>> > > Otherwise I'd check the CA debug log somewhere in >>> /var/log/pki >>> > > >>> > > rob >>> > > >>> >>> >>> -- >>> Petr Vobornik >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jul 22 14:24:32 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 22 Jul 2016 16:24:32 +0200 Subject: [Freeipa-users] SSSD with LDAP not showing secondary groups In-Reply-To: References: Message-ID: <20160722142432.GA3351@hendrix> On Fri, Jul 22, 2016 at 03:04:01PM +0100, Peter Pakos wrote: > Jakub Hrozek wrote: > > > I'm glad it works now, but why did you choose to use the LDAP back end > > over the IPA back end? By using LDAP, you gain the ability to not enroll > > clients with ipa-client-install, but you loose the ease of > > manageability, HBAC, easy SUDO integration, not to mention you need to > > put passwords into the config file.. > > > > Well, we wanted a quick solution for migrating all our servers (a mixture > of Centos, Debian, SLES, Ubuntu) from using SSSD with an old LDAP server to > auth against FreeIPA. Since we have all our servers puppetized and using > sudoers files, it was the best approach I could think of. > > Can you think of a better way of tackling this? > > Now that the dust settles down after the migration, we started enrolling > infrastructure servers to FreeIPA using ipa-client-install. Ah, sorry, if you are going through a migration, then it's understandable. From julliot at ljll.math.upmc.fr Fri Jul 22 14:25:25 2016 From: julliot at ljll.math.upmc.fr (=?UTF-8?Q?S=c3=a9bastien_Julliot?=) Date: Fri, 22 Jul 2016 16:25:25 +0200 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> References: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> Message-ID: <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get "Pre-Encoded passwords are not valid" Le 22/07/2016 ? 15:08, Petr Vobornik a ?crit : > On 07/22/2016 11:42 AM, S?bastien Julliot wrote: >> Hello everyone, >> >> I am currently trying to deploy FreeIPA as the new idm system in my >> university but came across a problem I could not solve yet. I need to >> bypass the pre-hashed passwords verification, not only on the user creation. >> >> Due to several constraints, our workflow involves periodically (once a >> day, currently) receiving an ldif file containing the users up-to-date >> informations, (including hashed passwords) and inserting this >> informations into the idm. As our goal is to unify users passwords in >> the university but do not have access to the higher-level LDAP directly, >> we injected this pre-hashed passwords directly into the LDAP until today. >> >> Yet, every attempt I made to update users passwords with pre-hashed >> passwords failed for now. >> >> First I tried this (migration mode enabled): >> >> ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*********************' >> >> /*OK*/ >> >> ? ~ kinit testuser >> >> kinit: Generic preauthentication failure while getting initial credentials >> >> As expected from the documentation, it does not work :p >> >> I then thought about trying to copy the migration plug-in, and change >> the way it retrieves users (from LDIF rather than from an online LDAP >> server). Since this plugin is able to But again, event binding as >> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I >> tested my code without the userPassword field and the users are >> correctly inserted). >> >> Here is my code : >> >> class ldif_importer(ldif.LDIFParser): >> def __init__(self, ldap_backend): >> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >> self.ldap = ldap_backend >> >> def handle(self, dn, entry): >> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >> >> class my_backend(ipalib.Backend): >> '''Backend to import ldap passwords from ldif''' >> >> def __init__(self, api): >> ipalib.Backend.__init__(self, api) >> self.ldap = ldap2(self.api) >> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***********') >> >> def parse(self): >> importer = ldif_importer(self.ldap) >> importer.parse() >> >> class my_command(ipalib.Command): >> '''Command calling my_backend to import passwords from ldif''' >> >> def execute(self, **options): >> '''Implemented against my_backend''' >> self.Backend.my_backend.parse() >> return {'result': 'everything OK'} >> >> >> Should one of these methods have worked, and I did it incorrectly ? >> Otherwise, what would be the lower-impact solution to achieve this ? >> (Yes, I understand the security concerns about sending passwords hashes >> on the network but this choice does not depend on me) >> >> Many thanks in advance, >> Sebastien. >> > I issue might be that the user has his userPassword migrated but he > doesn't have krbPrincipalKey generated. If kerberos key is missing then > it is automatically generated on successful LDAP bind (it's what > ipa/migration page does) > > Additional info which might interest you: > * > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync > * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords > From jhrozek at redhat.com Fri Jul 22 14:31:29 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 22 Jul 2016 16:31:29 +0200 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> Message-ID: <20160722143129.GC3351@hendrix> On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > I'm facing another issue now, my kerberos tickets are not renewing, In general I think it's better to start separate threads about separate issues. That way people who only scan the subject lines can see if this thread is something they can help with :) > > *[root at caer ~]# ipa cert-show 1* > ipa: ERROR: Ticket expired > > *[root at caer ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > Valid starting Expires Service principal > 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET > 07/20/16 14:42:36 07/21/16 14:42:22 HTTP/caer.teloip.net at TELOIP.NET > 07/21/16 11:40:15 07/21/16 14:42:22 ldap/caer.teloip.net at TELOIP.NET > > I need to manually renew the tickets every day, > > *[root at caer ~]# kinit admin* > Password for admin at TELOIP.NET: > Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016 > > *[root at caer ~]# klist * > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > Valid starting Expires Service principal > 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET The first thing to keep in mind is that SSSD only renews tickets it 'knows about', so tickets that were acquired through SSSD, not directly with kinit. For options about renewing SSSD-acquired tickets, see man sssd-krb5 and search for renew. From linov.suresh at gmail.com Fri Jul 22 14:48:25 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Fri, 22 Jul 2016 10:48:25 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <20160722143129.GC3351@hendrix> References: <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> <20160722143129.GC3351@hendrix> Message-ID: I agree with you Jakub, I will start separate thread for separate issues. On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > > I'm facing another issue now, my kerberos tickets are not renewing, > > In general I think it's better to start separate threads about separate > issues. That way people who only scan the subject lines can see if this > thread is something they can help with :) > > > > > *[root at caer ~]# ipa cert-show 1* > > ipa: ERROR: Ticket expired > > > > *[root at caer ~]# klist* > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: admin at TELOIP.NET > > > > Valid starting Expires Service principal > > 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET > > 07/20/16 14:42:36 07/21/16 14:42:22 HTTP/caer.teloip.net at TELOIP.NET > > 07/21/16 11:40:15 07/21/16 14:42:22 ldap/caer.teloip.net at TELOIP.NET > > > > I need to manually renew the tickets every day, > > > > *[root at caer ~]# kinit admin* > > Password for admin at TELOIP.NET: > > Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016 > > > > *[root at caer ~]# klist * > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: admin at TELOIP.NET > > > > Valid starting Expires Service principal > > 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET > > The first thing to keep in mind is that SSSD only renews tickets it > 'knows about', so tickets that were acquired through SSSD, not directly > with kinit. > > For options about renewing SSSD-acquired tickets, see man sssd-krb5 and > search for renew. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Alston at sabre.com Fri Jul 22 14:59:11 2016 From: David.Alston at sabre.com (Alston, David) Date: Fri, 22 Jul 2016 09:59:11 -0500 Subject: [Freeipa-users] Replicating users/groups from AD Message-ID: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C05B8@SGTULMMP001.Global.ad.sabre.com> Greetings! I realize that FreeIPA is supposed to be setup as master of its own domain, but are there any plans to continue the account replication functionality that has already been in FreeIPA? I had heard rumor that it would be possible to have FreeIPA and Active Directory coexist in the same domain in some release in the future. Am I waiting for a feature that will never come? --David Alston -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jul 22 15:49:12 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 22 Jul 2016 11:49:12 -0400 Subject: [Freeipa-users] Replicating users/groups from AD In-Reply-To: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C05B8@SGTULMMP001.Global.ad.sabre.com> References: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C05B8@SGTULMMP001.Global.ad.sabre.com> Message-ID: <1469202552.18067.50.camel@redhat.com> On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: > Greetings! > > I realize that FreeIPA is supposed to be setup as master of its > own domain, but are there any plans to continue the account > replication functionality that has already been in FreeIPA? I had > heard rumor that it would be possible to have FreeIPA and Active > Directory coexist in the same domain in some release in the future. > Am I waiting for a feature that will never come? Hi David, in order to respond to your question an idea of what are your expectations would is needed. If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they will never coexists. If by Domain you mean DNS Domain read then FreeIPA can work in the same domain as AD but only if you do not care for them interacting (at the kerberos level, no trusts, no SSO). You can basically have only one association between a DNS domain and a Realm, and a DNS domain is either going to be associated to the AD Domain server or to the IPA Domain. Synchronization, however is a completely unrelated topic, and I can't give you an answer on that side as I do not understand how it would relate to the coexistence of FreeIPA and AD in a single DNS domain. Simo. -- Simo Sorce * Red Hat, Inc * New York From gjn at gjn.priv.at Fri Jul 22 16:50:07 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 22 Jul 2016 18:50:07 +0200 Subject: [Freeipa-users] Question DNS Message-ID: <1707520.xy7iZH4aVo@techz> Hello List, what is the best way to include a local DNS Server? Can I configure on a IPA DNS Server (extern) views for a internal DNS without problems ? Is the named Configuration is overwritten by Updates or other ? I have read now much FreeIPA Doc's but found nothing for this Problem ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pgb205 at yahoo.com Fri Jul 22 18:17:37 2016 From: pgb205 at yahoo.com (pgb205) Date: Fri, 22 Jul 2016 18:17:37 +0000 (UTC) Subject: [Freeipa-users] Unable to add CA on an already configured replica References: <312415248.3085984.1469211457614.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com> Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but NOT?ipa-srv2. The reason I would like to add CA on ipa-srv2 is because?I want the setup to ultimately become?ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg replication file on ipa-srv2 (to be used to establish replication agreement to ipa-srv3)as I get an error message: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)From what I've found gpg can only be created on replica with CA installed.? to install CA I tried the following commandipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg This errors out at? ? [8/21]: starting certificate server instanceipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details.? [9/21]: importing CA chain to RA certificate database? [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500 systemctl status pki-tomcatd at pki-tomcat.service shows the pki service is running, surprisingly. but it's still not listed in ipactl status output further attempts to install are halted with error : CA is already installed on this system and I have to manually delete everything with: pkidestroy -s CA -i pki-tomcat?1003 ?rm -rf /var/log/pki/pki-tomcat?1004 ?rm -rf /etc/sysconfig/pki-tomcat?1005 ?rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat?1006 ?rm -rf /var/lib/pki/pki-tomcat?1007 ?rm -rf /etc/pki/pki-tomcat in error logs the one message that stands out is:500 internal server error. which repeats multiple times at the end of log file. Please suggest on what can be done in this situation. PS: regarding pkidestroy and pkiremove commands. What is the difference or does pkidestroy superceeds pkiremove.Alexander B suggests pkiremove in one of his older posts and 'yum whatprovides pkiremove' also suggests that it should be available. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lmgnid at hotmail.com Fri Jul 22 18:22:13 2016 From: lmgnid at hotmail.com (lm gnid) Date: Fri, 22 Jul 2016 18:22:13 +0000 Subject: [Freeipa-users] Cannot renew expired certificates in IPA 4.2 Message-ID: Hello, as in the link bellow, your help will be appreciated! https://bugzilla.redhat.com/show_bug.cgi?id=1343796 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 22 18:40:16 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2016 14:40:16 -0400 Subject: [Freeipa-users] Odd Password Issue Across the realm In-Reply-To: References: <57914B87.8000502@redhat.com> Message-ID: <57926890.8070906@redhat.com> Auerbach, Steven wrote: > I don't think so. The sssd service is running on the client server. But it is configured with cache_credentials=true. I also notice a key ipa_server = _srv_, ipa02.<>.local. The thing is, that second name does was replaced a number of months ago by a server named ipa-r02.<>.local. > > Could either of these keys point to a problem? Like I said, it sounds like it is offline. Given that one of the servers doesn't exist makes this even more possible. You need to check the SSSD logs. See https://fedorahosted.org/sssd/wiki/Troubleshooting You can try killing sssd with SIGUSR2 which will try to put it into online mode (see man sssd). rob > > Thanks. > > > Steven Auerbach > Systems Administrator > > State University System of Florida > Board of Governors > 325 West Gaines Street, Suite 1625C > Tallahassee, Florida 32399 > (850) 245-9592 > steven.auerbach at flbog.edu | www.flbog.edu > > > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, July 21, 2016 6:24 PM > To: Auerbach, Steven ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Odd Password Issue Across the realm > > Auerbach, Steven wrote: >> We have our IPA set up as master-master and we have about 25 clients >> in realm (including the IPA servers themselves). >> >> We have a single user who changed his unexpired password using the >> passwd command logged on to one of the registered clients. >> >> Thereafter, when he logs on to any of the client servers in the realm >> with the exception of one, his new password is accepted. On only one >> client server his new password is not accepted. That client server >> will only let him in with a password that was in effect 2 password >> changes in the past. >> >> I believe that there is no sync problem between the IPA Masters >> because I changed the admin password on one of them (IPA Master) >> yesterday and it was available immediately after a logout to sign on >> as admin to the other master with the new password. >> >> Are we instructing users with the wrong command for changing an >> unexpired password? If not, where would we turn to rectify this issue >> that this one user has with the one IPA client server? > > I wonder if sssd on that client is in offline mode. > > rob > From rcritten at redhat.com Fri Jul 22 18:45:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2016 14:45:44 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> Message-ID: <579269D8.6040601@redhat.com> Linov Suresh wrote: > Could you please verify, if we have set correct trust attributes on the > certificates > > *root at caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > subsystemCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,Cu,Cu > subsystemCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > * > * > *[root at caer ~]# certutil -d /etc/httpd/alias/ -L* > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > TELOIP.NET IPA CA > CT,C,C > ipaCert u,u,u > Signing-Cert u,u,u > Server-Cert u,u,u > > *[root at caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L* > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > TELOIP.NET IPA CA > CT,,C > Server-Cert u,u,u > [root at caer ~]# > > *Please note, there are duplicate certificates in CA, HTTP and LDAP > directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was > wondering if we need to remove these duplicate certificates? * Yeah you should remove the duplicate certs, they seem to cause problems with dogtag at least (certmonger _should_ handle this automatically, we'll be looking into it soonish). To remove the duplicate cert: 1. Shutdown the service 2. Back up the NSS database 3. certutil -L -d /path/to/db -n -a > somefile 4. split somefile into separate files so each file as a BEGIN/END certificate 5. openssl x509 -text -in -infile somefile1..n 6. Pick the one with the most recent issuance date 7. You backed up the NSS database, right? 8. certutil -D -d /path/to/db -n 9. certutil -A -d /path/to/db -n -t u,u,u -a -i somefilex 10. Start the service, watch logs for errors For the trust use whatever the original trust value was. You don't need the P trust flag on the subsystemCert in the CA, only the auditSigningCert. I doubt the duplicated Server-Cert will be a problem. NSS is supposed to deal with this automatically, picking the "most correct" cert to use based on the validity period. rob > > > On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh > wrote: > > I'm facing another issue now, my kerberos tickets are not renewing, > > *[root at caer ~]# ipa cert-show 1* > ipa: ERROR: Ticket expired > > *[root at caer ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > Valid starting Expires Service principal > 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET > > 07/20/16 14:42:36 07/21/16 14:42:22 > HTTP/caer.teloip.net at TELOIP.NET > 07/21/16 11:40:15 07/21/16 14:42:22 > ldap/caer.teloip.net at TELOIP.NET > > I need to manually renew the tickets every day, > > *[root at caer ~]# kinit admin* > Password for admin at TELOIP.NET : > Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016 > > *[root at caer ~]# klist * > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > Valid starting Expires Service principal > 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET > > > > On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden > > wrote: > > Linov Suresh wrote: > > The httpd_error log doesn't contain the part where `ipa > cert-show 1` was > run. If it is from the same time. > > *I am not sure about that, please see httpd_error when `ipa > cert-show 1` > was run* > > > The IPA API log isn't going to show much in this case. > > Requests to the CA are proxied through IPA. The CA WAR is not > running on tomcat so when Apache tries to proxy the request > tomcat returns a 404, Not Found. > > You need to start with the dogtag debug and selftest logs to see > what is going on. The logs are pretty verbose and can be > challenging to read. > > rob > > > [root at caer ~]# *tail -f /var/log/httpd/error_log* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > xmlserver_session.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session > cookie_id = > bc2c7ed0eccd840dc266efaf9ece913c > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session > data in > cache with id=bc2c7ed0eccd840dc266efaf9ece913c > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > xmlserver_session.__call__: > session_id=bc2c7ed0eccd840dc266efaf9ece913c > start_timestamp=2016-07-21T11:58:54 > access_timestamp=2016-07-21T12:01:21 > expiration_timestamp=2016-07-21T12:18:54 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing > ccache data into > file "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > get_credential_times: > principal=HTTP/caer.teloip.net at TELOIP.NET > > >, authtime=07/21/16 > 10:31:46, > starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, > renew_till=12/31/69 19:00:00 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > get_credential_times: > principal=HTTP/caer.teloip.net at TELOIP.NET > > >, authtime=07/21/16 > 10:31:46, > > starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, > renew_till=12/31/69 19:00:00 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache > FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 > (07/22/16 > 10:31:44) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > set_session_expiration_time: duration_type=inactivity_timeout > duration=1200 max_age=1469197604 expiration=1469118081.77 > (2016-07-21T12:21:21) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > xmlserver.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created > connection > context.ldap2 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: > cert_show(u'1') > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1') > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual > verify > retrieve certificate > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > ipaserver.plugins.dogtag.ra.get_certificate() > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request > 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request > post > 'xml=true&serialNumber=1' > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection > init > caer.teloip.net > > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: > 10.20.0.75:0 > > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > auth_certificate_callback: check_sig=True is_server=False > *.* > *.* > *.* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = > SSLServer intended_usage = SSLServer > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid > True for > "CN=caer.teloip.net > ,O=TELOIP.NET > " > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake > complete, peer > = 10.20.0.75:443 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > auth_certificate_callback: check_sig=True is_server=False > *.* > *.* > *.* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = > SSLServer intended_usage = SSLServer > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid > True for > "CN=caer.teloip.net > ,O=TELOIP.NET > " > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake > complete, peer > = 10.20.0.75:443 > [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to > communicate > with CMS (Not Found) > [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: > admin at TELOIP.NET > >: > cert_show(u'1'): CertificateOperationError > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: > CertificateOperationError: Certificate operation cannot be > completed: > Unable to communicate with CMS (Not Found) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed > connection > context.ldap2 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading > ccache data from > file "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: > session_id=bc2c7ed0eccd840dc266efaf9ece913c > start_timestamp=2016-07-21T11:58:54 > access_timestamp=2016-07-21T12:01:21 > expiration_timestamp=2016-07-21T12:21:21 > > > Does `ipa cert-show` communicate with the same replica? Could be > verified by `ipa -vv cert-show` > > *It's asking for the serial number of the certificate. If I > give 64 > (serial number of ipaCert ), I get ipa: ERROR: Certificate > operation > cannot be completed: Unable to communicate with CMS (Not Found)* > > *[root at caer ~]# ipa -vv cert-show* > ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > *.* > *.* > *.* > ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, > 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent storage for > principal > 'admin at TELOIP.NET > >', cookie: > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, 21 Jul > 2016 16:25:32 > GMT; Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' > ipa: INFO: trying https://caer.teloip.net/ipa/session/xml > ipa: DEBUG: Created connection context.xmlclient > Serial number: 64 > ipa: DEBUG: raw: cert_show(u'64') > ipa: DEBUG: cert_show(u'64') > ipa: INFO: Forwarding 'cert_show' to server > u'https://caer.teloip.net/ipa/session/xml' > ipa: DEBUG: NSSConnection init caer.teloip.net > > ipa: DEBUG: Connecting: 10.20.0.75:0 > > send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: > caer.teloip.net > \r\nAccept-Language: en-us\r\nReferer: > https://caer.teloip.net/ipa/xml\r\nCookie > : > ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: > xmlrpclib.py/1.0.1 > (by www.pythonware.com > > )\r\nContent-Type: > text/xml\r\nContent-Length: 268\r\n\r\n' > ipa: DEBUG: auth_certificate_callback: check_sig=True > is_server=False > *.* > *.* > *.* > ipa: DEBUG: approved_usage = SSLServer intended_usage = > SSLServer > ipa: DEBUG: cert valid True for "CN=caer.teloip.net > > ,O=TELOIP.NET > " > ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 > > > send: " encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" > reply: 'HTTP/1.1 200 Success\r\n' > header: Date: Thu, 21 Jul 2016 16:05:40 GMT > header: Server: Apache/2.2.15 (CentOS) > header: Set-Cookie: > ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, > 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly > header: Connection: close > header: Content-Type: text/xml; charset=utf-8 > ipa: DEBUG: received Set-Cookie > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, 21 Jul > 2016 16:25:40 > GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > ; Path=/ipa; Expires=Thu, 21 Jul > 2016 16:25:40 > GMT; Secure; HttpOnly' for principal admin at TELOIP.NET > > > > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:admin at TELOIP.NET > > > > ipa: DEBUG: stdout=457971704 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:admin at TELOIP.NET > > > > ipa: DEBUG: stdout=457971704 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl pupdate 457971704 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > body: " encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate > operation cannot be completed: Unable to communicate with > CMS (Not > Found)\n\n\n\n\n" > ipa: DEBUG: Caught fault 4301 from server > https://caer.teloip.net/ipa/session/xml: Certificate > operation cannot be > completed: Unable to communicate with CMS (Not Found) > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > [root at caer ~]# > > > But more interesting is: SelfTestSubsystem: The CRITICAL > self test > plugin called > selftests.container.instance.SystemCertsVerification > running at startup FAILED! > > Are you sure that CA is running? > # ipactl status > *Yes, CA is runnig, * > > *[root at caer ~]# ipactl status* > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > This looks like that self test fail and therefore CA > shouldn't start. It > also says that some of CA cert is not valid. Which one might > be seen in > /var/log/pki-ca/debug but a bigger chunk would be needed. > > *[root at caer ~]# tail -100 /var/log/pki-ca/debug * > > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: > mNumConns now 1 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721114829Z > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=REVOKED) attrs: > [objectclass, certRevokedOn, certRecordId, certRevoInfo, > notAfter, > x509cert] pageSize -200 startFrom 20160721114829Z > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: > mNumConns now 2 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: > mNumConns now 3 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries > returning 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting > Virtual List size: 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be > empty > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > updateCertStatus done > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting > cert checkRanges > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial > numbers left in > range: 268369849 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial > Number: 71 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers > available: 268369849 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert > checkRanges done > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting > request checkRanges > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial > numbers left in > range: 9989888 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial > Number: 112 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers > available: 9989888 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request > checkRanges done > [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized before. > [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized. > [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized before. > [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized. > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start > updateCertStatus > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting > updateCertStatus (entered lock) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > updateCertStatus() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getInvalidCertificatesByNotBeforeDate filter > (certStatus=INVALID) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getInvalidCertificatesByNotBeforeDate: about to call > findCertRecordsInList > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: > mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=INVALID) attrs: > [objectclass, certRecordId, x509cert] pageSize -200 startFrom > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > getInvalidCertsByNotBeforeDate finally. > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: > mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries > returning 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting > Virtual List size: 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be > empty > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getValidCertsByNotAfterDate filter (certStatus=VALID) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: > mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: (certStatus=VALID) > attrs: > [objectclass, certRecordId, x509cert] pageSize -200 startFrom > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: > mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries > returning 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting > Virtual List > size: 14 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transidValidCertificates: list size: 14 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transitValidCertificates: ltSize 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getElementAt: 0 mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse > direction > getting index 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not > qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul > 21 11:58:29 > EDT 2016 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transitCertList EXPIRED > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getRevokedCertificatesByNotAfterDate: about to call > findCertRecordsInList > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: > mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=REVOKED) attrs: > [objectclass, certRevokedOn, certRecordId, certRevoInfo, > notAfter, > x509cert] pageSize -200 startFrom 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: > mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries > returning 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting > Virtual List size: 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be > empty > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > updateCertStatus done > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting > cert checkRanges > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial > numbers left in > range: 268369849 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial > Number: 71 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers > available: 268369849 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert > checkRanges done > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting > request checkRanges > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial > numbers left in > range: 9989888 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial > Number: 112 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers > available: 9989888 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request > checkRanges done > [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized before. > [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized. > > On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik > > >> > wrote: > > On 07/21/2016 05:14 PM, Linov Suresh wrote: > > I set debug=true in /etc/ipa/default.conf > > > > Here are my logs, > > The httpd_error log doesn't contain the part where `ipa > cert-show 1` was > run. If it is from the same time. Does `ipa cert-show` > communicate with > the same replica? Could be verified by `ipa -vv cert-show` > > But more interesting is: > > SelfTestSubsystem: The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification > running at startup > FAILED! > > Are you sure that CA is running? > # ipactl status > > This looks like that self test fail and therefore CA > shouldn't start. It > also says that some of CA cert is not valid. Which one > might be seen in > /var/log/pki-ca/debug but a bigger chunk would be needed. > > > > > *[root at caer ~]# tail -f /var/log/httpd/error_log* > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: > user_show(u'admin', > > rights=False, all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > user_show(u'admin', rights=False, > > all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > get_memberof: > > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net > > > > memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=replication > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add host > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a > host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > get_memberof: result > > > > direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > admins,cn=groups,cn=accounts,dc=teloip,dc=net')] > > indirect=[ipapython.dn.DN('cn=replication > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add host > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a > host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: > admin at TELOIP.NET > > > > > >>: > > user_show(u'admin', rights=False, all=False, > > raw=False, version=u'2.46'): SUCCESS > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > response: entries returned 1 > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > Destroyed connection context.ldap2 > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: > reading ccache data from file > > "/var/run/ipa_memcached/krbcc_13554" > > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store > session: > > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d > start_timestamp=2016-07-21T10:43:26 > > access_timestamp=2016-07-21T11:00:38 > expiration_timestamp=2016-07-21T11:20:38 > > > > *[root at caer ~]# tail -f /var/log/pki-ca/debug* > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > RequestQueue: curReqId: 9990001 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > getElementAt: 1 mTop 107 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > reverse direction getting index 4 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > RequestQueue: curReqId: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > RequestQueue: getLastRequestId : > > returning value 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > Repository: mLastSerialNo: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > Serial numbers left in range: > > 9989888 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last > Serial Number: 112 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > Serial Numbers available: 9989888 > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > request checkRanges done > > > > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* > > 6563.CRLIssuingPoint-MasterCRL - > [20/Jul/2016:17:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,912 last > update time: > 7/20/16 5:00 PM > > next update time: 7/20/16 9:00 PM Number of entries > in the CRL: > 11 time: 25 CRL > > time: 25 delta CRL time: 0 > (0,0,0,0,0,0,0,8,17,0,0,25,25) > > 6563.CRLIssuingPoint-MasterCRL - > [20/Jul/2016:21:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,913 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [20/Jul/2016:21:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,913 last > update time: > 7/20/16 9:00 PM > > next update time: 7/21/16 1:00 AM Number of entries > in the CRL: > 11 time: 11 CRL > > time: 11 delta CRL time: 0 > (0,0,0,0,0,0,0,6,5,0,0,11,11) > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:01:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,914 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:01:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,914 last > update time: > 7/21/16 1:00 AM > > next update time: 7/21/16 5:00 AM Number of entries > in the CRL: > 11 time: 13 CRL > > time: 13 delta CRL time: 0 > (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:05:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,915 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:05:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,915 last > update time: > 7/21/16 5:00 AM > > next update time: 7/21/16 9:00 AM Number of entries > in the CRL: > 11 time: 16 CRL > > time: 16 delta CRL time: 0 > (0,0,0,0,0,0,0,8,8,0,0,16,16) > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:09:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL Number: 8,916 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:09:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL Number: 8,916 last > update time: > 7/21/16 9:00 AM > > next update time: 7/21/16 1:00 PM Number of entries > in the CRL: > 11 time: 13 CRL > > time: 13 delta CRL time: 0 > (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] > [1] renewal > reqID 112 > > fromAgent userID: ipara authenticated by > certUserDBAuthMgr is > completed DN > > requested: CN=CA Audit,O=TELOIP.NET > > cert issued serial > > number: 0x47 time: 39 > > > > *[root at caer ~]# tail -f /var/log/pki-ca/selftests.log* > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] > SelfTestSubsystem: loading all > > self test plugin logger parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] > SelfTestSubsystem: loading all > > self test plugin instances > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] > SelfTestSubsystem: loading all > > self test plugin instance parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] > SelfTestSubsystem: loading > > self test plugins in on-demand order > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] > SelfTestSubsystem: loading > > self test plugins in startup order > > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] > SelfTestSubsystem: Self test > > plugins have been successfully loaded! > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] > SelfTestSubsystem: Running self > > test plugins specified to be executed at startup: > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] > CAPresence: CA is present > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] > SystemCertsVerification: system > > certs verification failure > > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] > SelfTestSubsystem: The CRITICAL > > self test plugin called > selftests.container.instance.SystemCertsVerification > > running at startup FAILED! > > > > But intrestingly, [root at caer ~]# ipa cert-show 1 > returns "*ipa: > ERROR: > > Certificate operation cannot be completed: Unable to > communicate with CMS (Not > > Found)*" > > > > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh > > > > > > >>> wrote: > > > > This could be because of incorrect trust > attributes trust on the > > certificates, the current attributes are, > > > > [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias > > > > Certificate Nickname > Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca > u,u,Pu > > subsystemCert cert-pki-ca > u,u,Pu > > caSigningCert cert-pki-ca > CTu,Cu,Cu > > subsystemCert cert-pki-ca > u,u,Pu > > Server-Cert cert-pki-ca > u,u,u > > auditSigningCert cert-pki-ca > u,u,Pu > > > > I'm going to fix the trust attributes and try. > > > > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik > > > > > >>> wrote: > > > > On 07/20/2016 09:41 PM, Linov Suresh wrote: > > > I have restarted the pki-cad and checked if > communication with the CA is > > > working, but no luck, > > > > > > Debug logs in /var/log/pki-ca do not have > anything > unusual. Can you think of > > > anything other than this? > > > > /var/log/httpd/error_log when /etc/ipa.conf > is set to > debug=true > > > https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data > > > > /var/log/pki-ca/debug > > /var/log/pki-ca/transactions > > /var/log/pki-ca/selftest.log > > > > > > > > [root at caer ~]# ipa cert-show 1 > > > Certificate: > > MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > > > > > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > > > > > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > > > > > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > > > > > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > > > > > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > > > > > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > > > > > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > > > > > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > > > > > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > > > > > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > > > > > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > > > > > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > > > > > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > > > > > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > > > > > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > > > > > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > > > > > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > > > > > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > > > Subject: CN=Certificate > Authority,O=TELOIP.NET > > > > > > Issuer: CN=Certificate > Authority,O=TELOIP.NET > > > > > > Not Before: Wed Dec 14 22:29:56 2011 UTC > > > Not After: Sat Dec 14 22:29:56 2019 UTC > > > Fingerprint (MD5): > c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > > > Fingerprint (SHA1): > ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > > > Serial number (hex): 0x1 > > > Serial number: 1 > > > [root at caer ~]# > > > > > > *ca-error: Internal error: no response to > > > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > > * > > > > > > > > > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob > Crittenden > > > > >> > > > > > >>>> wrote: > > > > > > Linov Suresh wrote: > > > > > > Thanks for your help Rob, I will > create a > separate thread for IPA > > > replication issue. But we are > still getting > > > * > > > * > > > *ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".* > > > > > > Could you please help us to > fix this? > > > > > > > > > I think your CA isn't quite fixed yet. > I'd restart > pki-cad then do something > > > like: ipa cert-show 1 > > > > > > You should get back a cert (doesn't > really matter > what cert). > > > > > > Otherwise I'd check the CA debug log > somewhere in > /var/log/pki > > > > > > rob > > > > > > -- > Petr Vobornik > > > > > From rcritten at redhat.com Fri Jul 22 18:47:04 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jul 2016 14:47:04 -0400 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> References: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> Message-ID: <57926A28.8050708@redhat.com> S?bastien Julliot wrote: > Hi Petr, > > > Thanks for the documentations. I already had followed the steps from the > NIS migration page, it works, but does not solve my problem, which is to > change *already existing users* passwords. > > When trying > > ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' > > I get "Pre-Encoded passwords are not valid" Look at the first link Petr sent you. There is a password sync manager setting that should be able to insert pre-hashed passwords. rob > > > > Le 22/07/2016 ? 15:08, Petr Vobornik a ?crit : >> On 07/22/2016 11:42 AM, S?bastien Julliot wrote: >>> Hello everyone, >>> >>> I am currently trying to deploy FreeIPA as the new idm system in my >>> university but came across a problem I could not solve yet. I need to >>> bypass the pre-hashed passwords verification, not only on the user creation. >>> >>> Due to several constraints, our workflow involves periodically (once a >>> day, currently) receiving an ldif file containing the users up-to-date >>> informations, (including hashed passwords) and inserting this >>> informations into the idm. As our goal is to unify users passwords in >>> the university but do not have access to the higher-level LDAP directly, >>> we injected this pre-hashed passwords directly into the LDAP until today. >>> >>> Yet, every attempt I made to update users passwords with pre-hashed >>> passwords failed for now. >>> >>> First I tried this (migration mode enabled): >>> >>> ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*********************' >>> >>> /*OK*/ >>> >>> ? ~ kinit testuser >>> >>> kinit: Generic preauthentication failure while getting initial credentials >>> >>> As expected from the documentation, it does not work :p >>> >>> I then thought about trying to copy the migration plug-in, and change >>> the way it retrieves users (from LDIF rather than from an online LDAP >>> server). Since this plugin is able to But again, event binding as >>> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I >>> tested my code without the userPassword field and the users are >>> correctly inserted). >>> >>> Here is my code : >>> >>> class ldif_importer(ldif.LDIFParser): >>> def __init__(self, ldap_backend): >>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >>> self.ldap = ldap_backend >>> >>> def handle(self, dn, entry): >>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >>> >>> class my_backend(ipalib.Backend): >>> '''Backend to import ldap passwords from ldif''' >>> >>> def __init__(self, api): >>> ipalib.Backend.__init__(self, api) >>> self.ldap = ldap2(self.api) >>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***********') >>> >>> def parse(self): >>> importer = ldif_importer(self.ldap) >>> importer.parse() >>> >>> class my_command(ipalib.Command): >>> '''Command calling my_backend to import passwords from ldif''' >>> >>> def execute(self, **options): >>> '''Implemented against my_backend''' >>> self.Backend.my_backend.parse() >>> return {'result': 'everything OK'} >>> >>> >>> Should one of these methods have worked, and I did it incorrectly ? >>> Otherwise, what would be the lower-impact solution to achieve this ? >>> (Yes, I understand the security concerns about sending passwords hashes >>> on the network but this choice does not depend on me) >>> >>> Many thanks in advance, >>> Sebastien. >>> >> I issue might be that the user has his userPassword migrated but he >> doesn't have krbPrincipalKey generated. If kerberos key is missing then >> it is automatically generated on successful LDAP bind (it's what >> ipa/migration page does) >> >> Additional info which might interest you: >> * >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync >> * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >> > From lslebodn at redhat.com Fri Jul 22 19:24:58 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 22 Jul 2016 21:24:58 +0200 Subject: [Freeipa-users] change GID not work In-Reply-To: <579228A8.4040309@redhat.com> References: <061FC241309C8543AAC51450EE0CA595012BDD11DCFB@EX01.office.traffics-switch.de> <579228A8.4040309@redhat.com> Message-ID: <20160722192457.GA1291@10.4.128.1> On (22/07/16 10:07), Rob Crittenden wrote: >Junhe Jian wrote: >> Hello, >> >> i have a problem to change/set the GID. >> >> I create a new Group with a GID 999 in GUI not work. IPA generate a new >> GID within the Range. > >You are running into https://fedorahosted.org/freeipa/ticket/2886 > >This is fixed in freeIPA 3.2. > >Basically 999 was the "magic" number that IPA used to know when to generate >an ID value (as opposed to using one requested by the user). > >I don't believe there is a workaround for this. > IMHO, workaround is to use different GID than 999. I do not see a reason why group docker could not have gid 998 LS From linov.suresh at gmail.com Fri Jul 22 19:36:44 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Fri, 22 Jul 2016 15:36:44 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: <579269D8.6040601@redhat.com> References: <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> <579269D8.6040601@redhat.com> Message-ID: Thank you very much Rob. Let me remove the duplicate certificates and try to renew the certificates again to see if "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true "*." goes away? On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> Could you please verify, if we have set correct trust attributes on the >> certificates >> >> *root at caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> subsystemCert cert-pki-ca u,u,Pu >> ocspSigningCert cert-pki-ca u,u,u >> caSigningCert cert-pki-ca CTu,Cu,Cu >> subsystemCert cert-pki-ca u,u,Pu >> Server-Cert cert-pki-ca u,u,u >> auditSigningCert cert-pki-ca u,u,Pu >> * >> * >> *[root at caer ~]# certutil -d /etc/httpd/alias/ -L* >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> ipaCert u,u,u >> Server-Cert u,u,u >> TELOIP.NET IPA CA >> CT,C,C >> ipaCert u,u,u >> Signing-Cert u,u,u >> Server-Cert u,u,u >> >> *[root at caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L* >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> TELOIP.NET IPA CA >> CT,,C >> Server-Cert u,u,u >> [root at caer ~]# >> >> *Please note, there are duplicate certificates in CA, HTTP and LDAP >> directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was >> wondering if we need to remove these duplicate certificates? * >> > > Yeah you should remove the duplicate certs, they seem to cause problems > with dogtag at least (certmonger _should_ handle this automatically, we'll > be looking into it soonish). > > To remove the duplicate cert: > > 1. Shutdown the service > 2. Back up the NSS database > 3. certutil -L -d /path/to/db -n -a > somefile > 4. split somefile into separate files so each file as a BEGIN/END > certificate > 5. openssl x509 -text -in -infile somefile1..n > 6. Pick the one with the most recent issuance date > 7. You backed up the NSS database, right? > 8. certutil -D -d /path/to/db -n > 9. certutil -A -d /path/to/db -n -t u,u,u -a -i somefilex > 10. Start the service, watch logs for errors > > For the trust use whatever the original trust value was. > > You don't need the P trust flag on the subsystemCert in the CA, only the > auditSigningCert. > > I doubt the duplicated Server-Cert will be a problem. NSS is supposed to > deal with this automatically, picking the "most correct" cert to use based > on the validity period. > > rob > > >> >> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh > > wrote: >> >> I'm facing another issue now, my kerberos tickets are not renewing, >> >> *[root at caer ~]# ipa cert-show 1* >> ipa: ERROR: Ticket expired >> >> *[root at caer ~]# klist* >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at TELOIP.NET >> >> Valid starting Expires Service principal >> 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET >> >> 07/20/16 14:42:36 07/21/16 14:42:22 >> HTTP/caer.teloip.net at TELOIP.NET >> 07/21/16 11:40:15 07/21/16 14:42:22 >> ldap/caer.teloip.net at TELOIP.NET >> >> I need to manually renew the tickets every day, >> >> *[root at caer ~]# kinit admin* >> Password for admin at TELOIP.NET : >> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 >> 2016 >> >> *[root at caer ~]# klist * >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at TELOIP.NET >> >> Valid starting Expires Service principal >> 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET >> >> >> >> On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden >> > wrote: >> >> Linov Suresh wrote: >> >> The httpd_error log doesn't contain the part where `ipa >> cert-show 1` was >> run. If it is from the same time. >> >> *I am not sure about that, please see httpd_error when `ipa >> cert-show 1` >> was run* >> >> >> The IPA API log isn't going to show much in this case. >> >> Requests to the CA are proxied through IPA. The CA WAR is not >> running on tomcat so when Apache tries to proxy the request >> tomcat returns a 404, Not Found. >> >> You need to start with the dogtag debug and selftest logs to see >> what is going on. The logs are pretty verbose and can be >> challenging to read. >> >> rob >> >> >> [root at caer ~]# *tail -f /var/log/httpd/error_log* >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> wsgi_dispatch.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> xmlserver_session.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session >> cookie_id = >> bc2c7ed0eccd840dc266efaf9ece913c >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session >> data in >> cache with id=bc2c7ed0eccd840dc266efaf9ece913c >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> xmlserver_session.__call__: >> session_id=bc2c7ed0eccd840dc266efaf9ece913c >> start_timestamp=2016-07-21T11:58:54 >> access_timestamp=2016-07-21T12:01:21 >> expiration_timestamp=2016-07-21T12:18:54 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing >> ccache data into >> file "/var/run/ipa_memcached/krbcc_13554" >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> get_credential_times: >> principal=HTTP/caer.teloip.net at TELOIP.NET >> >> > >, authtime=07/21/16 >> 10:31:46, >> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >> renew_till=12/31/69 19:00:00 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> get_credential_times: >> principal=HTTP/caer.teloip.net at TELOIP.NET >> >> > >, authtime=07/21/16 >> 10:31:46, >> >> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >> renew_till=12/31/69 19:00:00 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache >> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 >> (07/22/16 >> 10:31:44) >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> set_session_expiration_time: duration_type=inactivity_timeout >> duration=1200 max_age=1469197604 expiration=1469118081.77 >> (2016-07-21T12:21:21) >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> xmlserver.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created >> connection >> context.ldap2 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >> WSGIExecutioner.__call__: >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: >> cert_show(u'1') >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1') >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual >> verify >> retrieve certificate >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> ipaserver.plugins.dogtag.ra.get_certificate() >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request >> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request >> post >> 'xml=true&serialNumber=1' >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection >> init >> caer.teloip.net >> >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: >> 10.20.0.75:0 >> >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> auth_certificate_callback: check_sig=True is_server=False >> *.* >> *.* >> *.* >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage >> = >> SSLServer intended_usage = SSLServer >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid >> True for >> "CN=caer.teloip.net >> ,O=TELOIP.NET >> " >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake >> complete, peer >> = 10.20.0.75:443 < >> http://10.20.0.75:443> >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >> auth_certificate_callback: check_sig=True is_server=False >> *.* >> *.* >> *.* >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage >> = >> SSLServer intended_usage = SSLServer >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid >> True for >> "CN=caer.teloip.net >> ,O=TELOIP.NET >> " >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake >> complete, peer >> = 10.20.0.75:443 < >> http://10.20.0.75:443> >> [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to >> communicate >> with CMS (Not Found) >> [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: >> admin at TELOIP.NET >> >: >> cert_show(u'1'): CertificateOperationError >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be >> completed: >> Unable to communicate with CMS (Not Found) >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed >> connection >> context.ldap2 >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading >> ccache data from >> file "/var/run/ipa_memcached/krbcc_13554" >> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: >> session_id=bc2c7ed0eccd840dc266efaf9ece913c >> start_timestamp=2016-07-21T11:58:54 >> access_timestamp=2016-07-21T12:01:21 >> expiration_timestamp=2016-07-21T12:21:21 >> >> >> Does `ipa cert-show` communicate with the same replica? Could >> be >> verified by `ipa -vv cert-show` >> >> *It's asking for the serial number of the certificate. If I >> give 64 >> (serial number of ipaCert ), I get ipa: ERROR: Certificate >> operation >> cannot be completed: Unable to communicate with CMS (Not >> Found)* >> >> *[root at caer ~]# ipa -vv cert-show* >> ipa: DEBUG: importing all plugin modules in >> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >> *.* >> *.* >> *.* >> ipa: DEBUG: >> stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, >> 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly >> ipa: DEBUG: stderr= >> ipa: DEBUG: found session_cookie in persistent storage for >> principal >> 'admin at TELOIP.NET >> >', cookie: >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, 21 Jul >> 2016 16:25:32 >> GMT; Secure; HttpOnly' >> ipa: DEBUG: setting session_cookie into context >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' >> ipa: INFO: trying https://caer.teloip.net/ipa/session/xml >> ipa: DEBUG: Created connection context.xmlclient >> Serial number: 64 >> ipa: DEBUG: raw: cert_show(u'64') >> ipa: DEBUG: cert_show(u'64') >> ipa: INFO: Forwarding 'cert_show' to server >> u'https://caer.teloip.net/ipa/session/xml' >> ipa: DEBUG: NSSConnection init caer.teloip.net >> >> ipa: DEBUG: Connecting: 10.20.0.75:0 >> >> send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: >> caer.teloip.net >> \r\nAccept-Language: >> en-us\r\nReferer: >> https://caer.teloip.net/ipa/xml\r\nCookie >> : >> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: >> xmlrpclib.py/1.0.1 >> (by www.pythonware.com >> >> )\r\nContent-Type: >> text/xml\r\nContent-Length: 268\r\n\r\n' >> ipa: DEBUG: auth_certificate_callback: check_sig=True >> is_server=False >> *.* >> *.* >> *.* >> ipa: DEBUG: approved_usage = SSLServer intended_usage = >> SSLServer >> ipa: DEBUG: cert valid True for "CN=caer.teloip.net >> >> ,O=TELOIP.NET >> " >> ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 >> >> >> send: "> >> encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" >> reply: 'HTTP/1.1 200 Success\r\n' >> header: Date: Thu, 21 Jul 2016 16:05:40 GMT >> header: Server: Apache/2.2.15 (CentOS) >> header: Set-Cookie: >> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, >> 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly >> header: Connection: close >> header: Content-Type: text/xml; charset=utf-8 >> ipa: DEBUG: received Set-Cookie >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, 21 Jul >> 2016 16:25:40 >> GMT; Secure; HttpOnly' >> ipa: DEBUG: storing cookie >> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >> Domain=caer.teloip.net >> ; Path=/ipa; Expires=Thu, 21 Jul >> 2016 16:25:40 >> GMT; Secure; HttpOnly' for principal admin at TELOIP.NET >> >> > >> ipa: DEBUG: args=keyctl search @s user >> ipa_session_cookie:admin at TELOIP.NET >> >> > > >> ipa: DEBUG: stdout=457971704 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl search @s user >> ipa_session_cookie:admin at TELOIP.NET >> >> > > >> ipa: DEBUG: stdout=457971704 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl pupdate 457971704 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> body: "> >> encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate >> operation cannot be completed: Unable to communicate with >> CMS (Not >> >> Found)\n\n\n\n\n" >> ipa: DEBUG: Caught fault 4301 from server >> https://caer.teloip.net/ipa/session/xml: Certificate >> operation cannot be >> completed: Unable to communicate with CMS (Not Found) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable >> to >> communicate with CMS (Not Found) >> [root at caer ~]# >> >> >> But more interesting is: SelfTestSubsystem: The CRITICAL >> self test >> plugin called >> selftests.container.instance.SystemCertsVerification >> running at startup FAILED! >> >> Are you sure that CA is running? >> # ipactl status >> *Yes, CA is runnig, * >> >> *[root at caer ~]# ipactl status* >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> DNS Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> This looks like that self test fail and therefore CA >> shouldn't start. It >> also says that some of CA cert is not valid. Which one might >> be seen in >> /var/log/pki-ca/debug but a bigger chunk would be needed. >> >> *[root at caer ~]# tail -100 /var/log/pki-ca/debug * >> >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: >> mNumConns now 1 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721114829Z >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In >> DBVirtualList filter >> attrs startFrom sortKey pageSize filter: >> (certStatus=REVOKED) attrs: >> [objectclass, certRevokedOn, certRecordId, certRevoInfo, >> notAfter, >> x509cert] pageSize -200 startFrom 20160721114829Z >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 2 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 3 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries >> returning 0 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting >> Virtual List size: 0 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be >> empty >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: >> updateCertStatus done >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting >> cert checkRanges >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial >> numbers left in >> range: 268369849 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial >> Number: 71 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers >> available: 268369849 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert >> checkRanges done >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting >> request checkRanges >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial >> numbers left in >> range: 9989888 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial >> Number: 112 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers >> available: 9989888 >> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request >> checkRanges done >> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: >> getPasswordStore(): password >> store initialized before. >> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: >> getPasswordStore(): password >> store initialized. >> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: >> getPasswordStore(): password >> store initialized before. >> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: >> getPasswordStore(): password >> store initialized. >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start >> updateCertStatus >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >> updateCertStatus (entered lock) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> updateCertStatus() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >> is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >> mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getInvalidCertificatesByNotBeforeDate filter >> (certStatus=INVALID) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getInvalidCertificatesByNotBeforeDate: about to call >> findCertRecordsInList >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >> is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >> mNumConns now 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> DBVirtualList filter >> attrs startFrom sortKey pageSize filter: >> (certStatus=INVALID) attrs: >> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >> 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> getInvalidCertsByNotBeforeDate finally. >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 3 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries >> returning 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting >> Virtual List size: 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be >> empty >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >> is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >> mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getValidCertsByNotAfterDate filter (certStatus=VALID) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >> is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >> mNumConns now 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> DBVirtualList filter >> attrs startFrom sortKey pageSize filter: (certStatus=VALID) >> attrs: >> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >> 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 3 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries >> returning 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting >> Virtual List >> size: 14 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> transidValidCertificates: list size: 14 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> transitValidCertificates: ltSize 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getElementAt: 0 mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse >> direction >> getting index 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does >> not >> qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul >> 21 11:58:29 >> EDT 2016 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> transitCertList EXPIRED >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >> is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >> mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getRevokedCertificatesByNotAfterDate filter >> (certStatus=REVOKED) >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> getRevokedCertificatesByNotAfterDate: about to call >> findCertRecordsInList >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> LdapBoundConnFactory::getConn() >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >> is connected: >> true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn >> is >> connected true >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >> mNumConns now 1 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >> DBVirtualList filter >> attrs startFrom sortKey pageSize filter: >> (certStatus=REVOKED) attrs: >> [objectclass, certRevokedOn, certRecordId, certRevoInfo, >> notAfter, >> x509cert] pageSize -200 startFrom 20160721115829Z >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 2 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >> mNumConns now 3 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries >> returning 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting >> Virtual List size: 0 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be >> empty >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >> updateCertStatus done >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >> cert checkRanges >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial >> numbers left in >> range: 268369849 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial >> Number: 71 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers >> available: 268369849 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert >> checkRanges done >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >> request checkRanges >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial >> numbers left in >> range: 9989888 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial >> Number: 112 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers >> available: 9989888 >> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request >> checkRanges done >> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: >> getPasswordStore(): password >> store initialized before. >> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: >> getPasswordStore(): password >> store initialized. >> >> On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik >> >> >> >> wrote: >> >> On 07/21/2016 05:14 PM, Linov Suresh wrote: >> > I set debug=true in /etc/ipa/default.conf >> > >> > Here are my logs, >> >> The httpd_error log doesn't contain the part where `ipa >> cert-show 1` was >> run. If it is from the same time. Does `ipa cert-show` >> communicate with >> the same replica? Could be verified by `ipa -vv >> cert-show` >> >> But more interesting is: >> >> SelfTestSubsystem: The CRITICAL self test plugin called >> selftests.container.instance.SystemCertsVerification >> running at startup >> FAILED! >> >> Are you sure that CA is running? >> # ipactl status >> >> This looks like that self test fail and therefore CA >> shouldn't start. It >> also says that some of CA cert is not valid. Which one >> might be seen in >> /var/log/pki-ca/debug but a bigger chunk would be needed. >> >> > >> > *[root at caer ~]# tail -f /var/log/httpd/error_log* >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI >> WSGIExecutioner.__call__: >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: >> user_show(u'admin', >> > rights=False, all=False, raw=False, version=u'2.46') >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> user_show(u'admin', rights=False, >> > all=False, raw=False, version=u'2.46') >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> get_memberof: >> > >> entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net >> > >> >> >> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=replication >> > >> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > replication >> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=modify replication >> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=remove >> > replication >> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=unlock user >> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=manage >> > service >> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=trust >> admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=host >> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=manage host >> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=enroll a >> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add host >> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > krbprincipalname to a >> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> get_memberof: result >> > >> >> >> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=trust >> admins,cn=groups,cn=accounts,dc=teloip,dc=net')] >> > indirect=[ipapython.dn.DN('cn=replication >> > >> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > replication >> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=modify replication >> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=remove >> > replication >> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=unlock user >> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=manage >> > service >> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=host >> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >> > ipapython.dn.DN('cn=manage host >> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=enroll a >> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add host >> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >> ipapython.dn.DN('cn=add >> > krbprincipalname to a >> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >> > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: >> admin at TELOIP.NET >> > >> > >> >>: >> >> user_show(u'admin', rights=False, all=False, >> > raw=False, version=u'2.46'): SUCCESS >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> response: entries returned 1 >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> Destroyed connection context.ldap2 >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >> reading ccache data from file >> > "/var/run/ipa_memcached/krbcc_13554" >> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store >> session: >> > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d >> start_timestamp=2016-07-21T10:43:26 >> > access_timestamp=2016-07-21T11:00:38 >> expiration_timestamp=2016-07-21T11:20:38 >> > >> > *[root at caer ~]# tail -f /var/log/pki-ca/debug* >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> RequestQueue: curReqId: 9990001 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> getElementAt: 1 mTop 107 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> reverse direction getting index 4 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> RequestQueue: curReqId: 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> RequestQueue: getLastRequestId : >> > returning value 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> Repository: mLastSerialNo: 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> Serial numbers left in range: >> > 9989888 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last >> Serial Number: 112 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> Serial Numbers available: 9989888 >> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >> request checkRanges done >> > >> > *[root at caer ~]# tail -f /var/log/pki-ca/transactions* >> > 6563.CRLIssuingPoint-MasterCRL - >> [20/Jul/2016:17:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,912 last >> update time: >> 7/20/16 5:00 PM >> > next update time: 7/20/16 9:00 PM Number of entries >> in the CRL: >> 11 time: 25 CRL >> > time: 25 delta CRL time: 0 >> (0,0,0,0,0,0,0,8,17,0,0,25,25) >> > 6563.CRLIssuingPoint-MasterCRL - >> [20/Jul/2016:21:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,913 >> Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true >> Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - >> [20/Jul/2016:21:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,913 last >> update time: >> 7/20/16 9:00 PM >> > next update time: 7/21/16 1:00 AM Number of entries >> in the CRL: >> 11 time: 11 CRL >> > time: 11 delta CRL time: 0 >> (0,0,0,0,0,0,0,6,5,0,0,11,11) >> > 6563.CRLIssuingPoint-MasterCRL - >> [21/Jul/2016:01:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,914 >> Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true >> Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - >> [21/Jul/2016:01:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,914 last >> update time: >> 7/21/16 1:00 AM >> > next update time: 7/21/16 5:00 AM Number of entries >> in the CRL: >> 11 time: 13 CRL >> > time: 13 delta CRL time: 0 >> (0,0,0,0,0,0,0,6,7,0,0,13,13) >> > 6563.CRLIssuingPoint-MasterCRL - >> [21/Jul/2016:05:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,915 >> Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true >> Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - >> [21/Jul/2016:05:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,915 last >> update time: >> 7/21/16 5:00 AM >> > next update time: 7/21/16 9:00 AM Number of entries >> in the CRL: >> 11 time: 16 CRL >> > time: 16 delta CRL time: 0 >> (0,0,0,0,0,0,0,8,8,0,0,16,16) >> > 6563.CRLIssuingPoint-MasterCRL - >> [21/Jul/2016:09:00:00 EDT] [20] >> [1] CRL update >> > started. CRL ID: MasterCRL CRL Number: 8,916 >> Delta CRL >> Enabled: false CRL >> > Cache Enabled: true Cache Recovery Enabled: true >> Cache Cleared: >> false Cache: >> > 11,0,0,0 >> > 6563.CRLIssuingPoint-MasterCRL - >> [21/Jul/2016:09:00:00 EDT] [20] >> [1] CRL Update >> > completed. CRL ID: MasterCRL CRL Number: 8,916 last >> update time: >> 7/21/16 9:00 AM >> > next update time: 7/21/16 1:00 PM Number of entries >> in the CRL: >> 11 time: 13 CRL >> > time: 13 delta CRL time: 0 >> (0,0,0,0,0,0,0,6,7,0,0,13,13) >> > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] >> [1] renewal >> reqID 112 >> > fromAgent userID: ipara authenticated by >> certUserDBAuthMgr is >> completed DN >> > requested: CN=CA Audit,O=TELOIP.NET >> >> cert issued serial >> > number: 0x47 time: 39 >> > >> > *[root at caer ~]# tail -f >> /var/log/pki-ca/selftests.log* >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading all >> > self test plugin logger parameters >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading all >> > self test plugin instances >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading all >> > self test plugin instance parameters >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading >> > self test plugins in on-demand order >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: loading >> > self test plugins in startup order >> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >> SelfTestSubsystem: Self test >> > plugins have been successfully loaded! >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >> SelfTestSubsystem: Running self >> > test plugins specified to be executed at startup: >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >> CAPresence: CA is present >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >> SystemCertsVerification: system >> > certs verification failure >> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >> SelfTestSubsystem: The CRITICAL >> > self test plugin called >> selftests.container.instance.SystemCertsVerification >> > running at startup FAILED! >> > >> > But intrestingly, [root at caer ~]# ipa cert-show 1 >> returns "*ipa: >> ERROR: >> > Certificate operation cannot be completed: Unable to > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Sat Jul 23 07:53:24 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Sat, 23 Jul 2016 07:53:24 +0000 (UTC) Subject: [Freeipa-users] ipa-getcert shows error References: <1131474903.4157973.1469260404890.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1131474903.4157973.1469260404890.JavaMail.yahoo@mail.yahoo.com> hi I get below errorca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. when I run ipa-getcert list, also how can I check my CAs are renewed or not? ?Request ID '20140817123602': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key pacom storage: type=NSSDB,location='/etc/dcomsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dcomsrv/slapd-PKI-IPA/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dcomsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=drvl124.EXAMPLE.COM,O=EXAMPLE.COM ??????? expcomes: 2016-08-17 12:36:02 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dcomsrv PKI-IPA ??????? track: yes ??????? auto-renew: yes Request ID '20140817123752': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key pacom storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=drvl124.EXAMPLE.COM,O=EXAMPLE.COM ??????? expcomes: 2016-08-17 12:37:51 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??????? track: yes -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Jul 23 19:00:18 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 23 Jul 2016 15:00:18 -0400 Subject: [Freeipa-users] ipa-getcert shows error In-Reply-To: <1131474903.4157973.1469260404890.JavaMail.yahoo@mail.yahoo.com> References: <1131474903.4157973.1469260404890.JavaMail.yahoo.ref@mail.yahoo.com> <1131474903.4157973.1469260404890.JavaMail.yahoo@mail.yahoo.com> Message-ID: <5793BEC2.10409@redhat.com> mohammad sereshki wrote: > hi > > I get below error > ca-error: Error setting up ccache for local "host" service using default > keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. I'm guessing IPA is not running, or not completely running. ipactl status will tell you. > when I run ipa-getcert list, also how can I check my CAs are renewed or not? Use just getcert and not ipa-getcert (ipa-getcert returns just a subset of all certificates being tracked). rob From mohammadsereshki at yahoo.com Sat Jul 23 19:08:22 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Sat, 23 Jul 2016 19:08:22 +0000 (UTC) Subject: [Freeipa-users] ipa-getcert shows error In-Reply-To: <5793BEC2.10409@redhat.com> References: <1131474903.4157973.1469260404890.JavaMail.yahoo.ref@mail.yahoo.com> <1131474903.4157973.1469260404890.JavaMail.yahoo@mail.yahoo.com> <5793BEC2.10409@redhat.com> Message-ID: <693789818.4338514.1469300902309.JavaMail.yahoo@mail.yahoo.com> hiipactl status? result:--------------------------- Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING getcert list result is :-------------------------root at ipasrv ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20140817123522': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='?????????????????????????????????????????????????? auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='audit?????????????????????????????????????????????????? SigningCert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=CA Audit,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:57:06 UTC ??????? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigning?????????????????????????????????????????????????? Cert cert-pki-ca" ??????? track: yes ??????? auto-renew: yes Request ID '20140817123523': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='?????????????????????????????????????????????????? ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspS?????????????????????????????????????????????????? igningCert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=OCSP Subsystem,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-OCSPSigning ??????? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningC?????????????????????????????????????????????????? ert cert-pki-ca" ??????? track: yes ??????? auto-renew: yes Request ID '20140817123524': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='?????????????????????????????????????????????????? subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsy?????????????????????????????????????????????????? stemCert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=CA Subsystem,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCer?????????????????????????????????????????????????? t cert-pki-ca" ??????? track: yes ??????? auto-renew: yes Request ID '20140817123525': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCe?????????????????????????????????????????????????? rt',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',t?????????????????????????????????????????????????? oken='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=IPA RA,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert ??????? track: yes ??????? auto-renew: yes Request ID '20140817123526': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='?????????????????????????????????????????????????? Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Serve?????????????????????????????????????????????????? r-Cert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: ??????? track: yes ??????? auto-renew: yes Request ID '20140817123534': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default??????????????????????????????????????????????????? keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM'?????????????????????????????????????????????????? ,nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-MT?????????????????????????????????????????????????? NCOMANCELL-COM/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nick?????????????????????????????????????????????????? name='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:35:34 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE-?????????????????????????????????????????????????? COM ??????? track: yes ??????? auto-renew: yes Request ID '20140817123602': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default??????????????????????????????????????????????????? keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickna?????????????????????????????????????????????????? me='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/p?????????????????????????????????????????????????? wdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='S?????????????????????????????????????????????????? erver-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:36:02 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA ??????? track: yes ??????? auto-renew: yes Request ID '20140817123752': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default??????????????????????????????????????????????????? keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Serve?????????????????????????????????????????????????? r-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer?????????????????????????????????????????????????? t',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:37:51 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??????? track: yes ??????? auto-renew: yes [root at ipasrv ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20140817123522': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=CA Audit,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:57:06 UTC ??????? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" ??????? track: yes ??????? auto-renew: yes Request ID '20140817123523': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=OCSP Subsystem,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-OCSPSigning ??????? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" ??????? track: yes ??????? auto-renew: yes Request ID '20140817123524': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=CA Subsystem,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" ??????? track: yes ??????? auto-renew: yes Request ID '20140817123525': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=IPA RA,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert ??????? track: yes ??????? auto-renew: yes Request ID '20140817123526': ??????? status: MONITORING ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' ??????? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' ??????? CA: dogtag-ipa-renew-agent ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2018-06-30 07:56:06 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: ??????? track: yes ??????? auto-renew: yes Request ID '20140817123534': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE-COM/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:35:34 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE-COM ??????? track: yes ??????? auto-renew: yes Request ID '20140817123602': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:36:02 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA ??????? track: yes ??????? auto-renew: yes Request ID '20140817123752': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM ??????? expCOMes: 2016-08-17 12:37:51 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??????? track: yes ??????? auto-renew: yes From: Rob Crittenden To: mohammad sereshki ; Freeipa-users Sent: Saturday, July 23, 2016 11:30 PM Subject: Re: [Freeipa-users] ipa-getcert shows error mohammad sereshki wrote: > hi > > I get below error > ca-error: Error setting up ccache for local "host" service using default > keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. I'm guessing IPA is not running, or not completely running. ipactl status will tell you. > when I run ipa-getcert list, also how can I check my CAs are renewed or not? Use just getcert and not ipa-getcert (ipa-getcert returns just a subset of all certificates being tracked). rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Sun Jul 24 09:10:04 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Sun, 24 Jul 2016 11:10:04 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.3.2 Message-ID: <6ce714d0-3b69-33f0-e8df-386b6a044e55@redhat.com> The FreeIPA team would like to announce FreeIPA v4.3.2 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository This announcement is also available on http://www.freeipa.org/page/Releases/4.3.2 Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.2-1.fc24 == Highlights in 4.3.2 == === Enhancements === * added possibility to list/clean dangling RUV records for o=ipaca suffix https://fedorahosted.org/freeipa/ticket/4987 * --domain-level of `ipa-server-install` was deprecated https://fedorahosted.org/freeipa/ticket/5907 === Bug fixes === * fixed upgrade bug on servers without CA https://fedorahosted.org/freeipa/ticket/5958 * fixed installation of server with DNS if A record didn't exist https://fedorahosted.org/freeipa/ticket/5962 * fixed issue where A/AAAA DNS records were not created for CA https://fedorahosted.org/freeipa/ticket/5966 * fixed installation of CA less replica on domain level 1 https://fedorahosted.org/freeipa/ticket/5721 * fixed forward zone conflicts with automatic empty zones from BIND https://fedorahosted.org/freeipa/ticket/5710 * fixed race condition with multiple simultaneous request from the same principal https://fedorahosted.org/freeipa/ticket/5653 == Upgrading == Upgrade instructions are available on upgrade page . == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.3.2 == === Abhijeet Kasurde (2) === * Added description related to 'status' in ipactl man page * Updated ipa command man page === Alexander Bokovoy (1) === * otptoken: support Python 3 for the qr code === David Kupka (3) === * man: Decribe ipa-client-install workaround for broken D-Bus enviroment. * installer: positional_arguments must be tuple or list of strings * installer: index() raises ValueError === Florence Blanc-Renaud (2) === * Do not allow installation in FIPS mode * Fix session cookies === Fraser Tweedale (5) === * caacl: correctly handle full user principal name * Prevent replica install from overwriting cert profiles * Detect and repair incorrect caIPAserviceCert config * upgrade: do not try to start CA if not configured * Move normalize_hostname to where it is expected === Jan Cholasta (4) === * spec file: bump minimum required pki-core version * build: fix client-only build * makeapi: use the same formatting for `int` and `long` values * replica install: do not set CA renewal master flag === Lenka Doudova (2) === * WebUI: Test creating user without private group * Test fix: Cleanup for host certificate === Martin Babinsky (1) === * replica-prepare: do not add PTR records if there is no IPA managed reverse zone === Martin Ba?ti (18) === * Add missing pre_common_callback to stageuser_add * Revert "ipatests: extend permission plugin test with new expected output" * make: fail when ACI.txt or API.txt differs from values in source code * Upgrade: always start CA * Set proper zanata project-version * Translations: remove deprecated locale configuration * Test: fix failing host_test * Fix: exceptions in DNS tests should not have data attribute * Translations: update translations for IPA 4.3.x * Fix resolve_rrsets: RRSet is not hashable * Translations: update ipa-4-3 translations * Revert "Switch /usr/bin/ipa to Python 3" * Use python2 for ipa cli * Replica promotion: use the correct IPA domain for replica * CA replica promotion: add proper CA DNS records * CA replica promotion: fix forgotten import * Fix replica install with CA * Use copy when replacing files to keep SELinux context === Milan Kub?k (3) === * ipatests: fix for change_principal context manager * ipatests: Add test case for requesting a certificate with full principal. * spec: Add python-sssdconfig dependency for python-ipatests package === Oleg Fayans (9) === * Added a kdestroy call to clean ccache at master/client uninstallation * Added 5 more tests to Replica Promotion testsuite * Fixed a failure in legacy_client tests * Add test if replica is working after domain upgrade * Improve reporting of failed tests in topology test suite * Bugfixes in managed topology tests * A workaround for ticket N 5348 * Increased certmonger timeout * Test for incorrect client domain === Pavel Vomacka (3) === * Add X-Frame-Options and frame-ancestors options * Add 'skip overlap check' checkbox into add zone dialog * Add 'skip overlap check' checkbox to the add dns forward zone dialog === Petr Viktorin (23) === * dns plugin: Fix zone normalization under Python 3 * sysrestore: Iterate over a list of dict keys * test_xmlrpc: Use absolute imports * xmlrpc_test: Rename exception instance before working with it * radiusproxy plugin: Use str(error) rather than error.message * xmlrpc_test: Expect bytes rather than strings for binary attributes * ipalib.rpc: Send base64-encoded data as string under Python 3 * range plugin tests: Use bytes with MockLDAP under Python 3 * radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret * certprofile plugin: Use binary mode for file with binary data * test_add_remove_cert_cmd: Use bytes for base64.b64encode() * Switch /usr/bin/ipa to Python 3 * Fix remaining relative import and enable Pylint check * ipalib.cli: Improve reporting of binary values in the CLI * test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate' * ipaldap: Keep attribute names as text, not bytes * ipapython.secrets.kem: Use ConfigParser from six.moves * test_topology_plugin: Don't rely on order of an attribute's values * test_rpcserver: Expect updated error message under Python 3 * ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison * test_ipaserver.test_ldap: Use bytestrings for raw LDAP values * ipaldap: Convert dict items to list before iterating * test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView === Petr Voborn?k (2) === * mod_auth_gssapi: enable unique credential caches names * Become IPA 4.3.2 === Petr ?pa?ek (30) === * Remove function ipapython.ipautil.host_exists() * Extend installers with --forward-policy option * Move automatic empty zone list into ipapython.dnsutil and make it reusable * Add assert_absolute_dnsname() helper to ipapython.dnsutil * Move function is_auto_empty_zone() into ipapython.dnsutil * Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone() * Add function ipapython.dnsutil.inside_auto_empty_zone() * Auto-detect default value for --forward-policy option in installers * DNS: Fix upgrade - master to forward zone transformation * DNS installer: accept --auto-forwarders option in unattended mode * Batch command: avoid accessing potentially undefined context.principal * Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil * Use root_logger for verify_host_resolvable() * Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil * Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil * Add ipaDNSVersion option to dnsconfig* commands and use new attribute * DNS upgrade: separate backup logic to make it reusable * Add function ipapython.dnsutil.related_to_auto_empty_zone() * DNS upgrade: change forwarding policy to = only for conflicting forward zones * DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used * DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used * DNS: Warn if forwarding policy conflicts with automatic empty zones * DNS: Fix realm domains integration with DNS zone add. * client: Share validator and domain name normalization with server install * DNS: Fix tests for realm domains integration with DNS zone add * client-install: do not fail if DNS times out during DNS update generation * Use NSS for name->resolution in IPA installer * DNS: Remove unnecessary DNS check from installer * Remove unused is_local(), interface, and defaultnet from CheckedIPAddress * Fix internal errors in host-add and other commands caused by DNS resolution === Stanislav Laznicka (9) === * replica-manage: fail nicely when DM psswd required * ipa-replica-manage refactoring * abort-clean/list/clean-ruv now work for both suffixes * Moved password check from clean_dangling_ruv * Fix to clean-dangling-ruv for single CA topologies * Added pyusb as a dependency * Deprecated the domain-level option in ipa-server-install * fixes premature sys.exit in ipa-replica-manage del * Remove dangling RUVs even if replicas are offline === Thierry Bordaz (1) === * Make sure ipapwd_extop takes precedence over passwd_modify_extop -- Petr Vobornik From mohammadsereshki at yahoo.com Sun Jul 24 10:29:12 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Sun, 24 Jul 2016 10:29:12 +0000 (UTC) Subject: [Freeipa-users] replica cms issue References: <2090166873.4515393.1469356152098.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <2090166873.4515393.1469356152098.JavaMail.yahoo@mail.yahoo.com> hiI get below error when I want to prepare a server as replica .would you please help me? Certificate operation cannot be completed: Unable to communicate with CMS -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthonyclarka2 at gmail.com Sun Jul 24 14:33:51 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Sun, 24 Jul 2016 10:33:51 -0400 Subject: [Freeipa-users] vaults and service accounts Message-ID: Hello All, I have a crazy notion of storing a host's SSH private keys in a ipa vault, so that a rebuilt host can use the same keys. I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos base repository, so I'm constrained to version 1.0 vaults. I'm using this page: http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance I'm trying these following steps but running into trouble: ipa service-add ssh/test01.dev.redacted.net certutil -N -d testcertdb certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O= DEV.REDACTED.NET' ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/ test01.dev.redacted.net at DEV.REDACTED.NET ipa vault-add testsshd02 --service ssh/ test01.dev.redacted.net at DEV.REDACTED.NET --type asymmetric --public-key-file testsshd01-cert.pem the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data." Is there a preferred way to create a public key for asymmetric encryption for a service vault? Thanks, Anthony Clark -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Sun Jul 24 15:43:43 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Sun, 24 Jul 2016 15:43:43 +0000 (UTC) Subject: [Freeipa-users] ccache for local "host" service using default keytab References: <675065525.4561493.1469375023667.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <675065525.4561493.1469375023667.JavaMail.yahoo@mail.yahoo.com> hiI get below error ,is there any suggestion to solve it? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. getcert list |less Number of certificates and requests being tracked: 8. Request ID '20140817125452': ??????? status: MONITORING ??????? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. ??????? stuck: no ??????? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' ??????? certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' ??????? CA: IPA ??????? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??????? subject: CN=t1vl068.example.com,O=EXAMPLE.COM ??????? expires: 2016-08-17 12:49:50 UTC ??????? eku: id-kp-serverAuth,id-kp-clientAuth ??????? pre-save command: ??????? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA ??????? track: yes ??????? auto-renew: yes -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Sun Jul 24 16:28:05 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Sun, 24 Jul 2016 16:28:05 +0000 (UTC) Subject: [Freeipa-users] Insufficient access References: <1031130468.4611468.1469377685200.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1031130468.4611468.1469377685200.JavaMail.yahoo@mail.yahoo.com> hiI got below error , when I tried to check certificates, I ran kinit admin before and it was okaywould you please help me ? ipa cert-show 1----------------- ipa: ERROR: Insufficient access: not allowed to perform this command -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohammadsereshki at yahoo.com Sun Jul 24 20:02:47 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Sun, 24 Jul 2016 20:02:47 +0000 (UTC) Subject: [Freeipa-users] Insufficient 'write' privilege to the 'userCertificate' References: <870937131.4770227.1469390567269.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <870937131.4770227.1469390567269.JavaMail.yahoo@mail.yahoo.com> hiI get below error from "getcert list",would you please help me to solve it? ?ca-error: Server denied our request, giving up: 2100 (RPC failed at server.? Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=ldap/ipasrv.example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.). -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jul 25 06:15:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jul 2016 08:15:59 +0200 Subject: [Freeipa-users] Question DNS: DNS views & FreeIPA In-Reply-To: <1707520.xy7iZH4aVo@techz> References: <1707520.xy7iZH4aVo@techz> Message-ID: On 22.7.2016 18:50, G?nther J. Niederwimmer wrote: > Hello List, > > what is the best way to include a local DNS Server? Could you be more specific? What exactly are you trying to achieve? > Can I configure on a IPA DNS Server (extern) views for a internal DNS without > problems ? > > Is the named Configuration is overwritten by Updates or other ? Yes, the named.conf can be overwritten from time to time. FreeIPA-integrated DNS "owns" that file and does modifications to it. > I have read now much FreeIPA Doc's but found nothing for this Problem ? The most important chapter is https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-dns """ An IdM server with integrated DNS services The integrated DNS server provided by IdM is not designed to be used as a general-purpose DNS server. It only supports features related to IdM deployment and maintenance. It does not support some of the advanced DNS features. """ DNS views are out of scope of FreeIPA DNS. If you insist on using views you will be on your own. We plan to focus on integration with external DNS in some future release but this work is not scoped yet. It would be great if you could provide us details for your use-case so we can consider it in planning. Thank you! -- Petr^2 Spacek From jian at traffics.de Mon Jul 25 06:34:35 2016 From: jian at traffics.de (Junhe Jian) Date: Mon, 25 Jul 2016 08:34:35 +0200 Subject: [Freeipa-users] change GID not work In-Reply-To: <20160722192457.GA1291@10.4.128.1> References: <061FC241309C8543AAC51450EE0CA595012BDD11DCFB@EX01.office.traffics-switch.de> <579228A8.4040309@redhat.com> <20160722192457.GA1291@10.4.128.1> Message-ID: <061FC241309C8543AAC51450EE0CA595012C3280E336@EX01.office.traffics-switch.de> Thank you very much @ all. I see I must change the GID for docker. _____________________________________________ Best regards Junhe Jian -----Urspr?ngliche Nachricht----- Von: Lukas Slebodnik [mailto:lslebodn at redhat.com] Gesendet: Freitag, 22. Juli 2016 21:25 An: Rob Crittenden Cc: Junhe Jian; freeipa-users at redhat.com Betreff: Re: [Freeipa-users] change GID not work On (22/07/16 10:07), Rob Crittenden wrote: >Junhe Jian wrote: >> Hello, >> >> i have a problem to change/set the GID. >> >> I create a new Group with a GID 999 in GUI not work. IPA generate a >> new GID within the Range. > >You are running into https://fedorahosted.org/freeipa/ticket/2886 > >This is fixed in freeIPA 3.2. > >Basically 999 was the "magic" number that IPA used to know when to >generate an ID value (as opposed to using one requested by the user). > >I don't believe there is a workaround for this. > IMHO, workaround is to use different GID than 999. I do not see a reason why group docker could not have gid 998 LS -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4887 bytes Desc: not available URL: From mohammadsereshki at yahoo.com Mon Jul 25 06:51:10 2016 From: mohammadsereshki at yahoo.com (mohammad sereshki) Date: Mon, 25 Jul 2016 06:51:10 +0000 (UTC) Subject: [Freeipa-users] ca-error 2100 References: <1977889624.4858509.1469429470791.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1977889624.4858509.1469429470791.JavaMail.yahoo@mail.yahoo.com> hido you know how can i solve it? getcert list|grep -i err ??????? ca-error: Server denied our request, giving up: 2100 (RPC failed at server.? Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=ldap/ipasrv.**.**@***.**,cn=services,cn=accounts,dc=***,dc=**'.). ??????? ca-error: Server denied our request, giving up: 2100 (RPC failed at server.? Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/ipasrv.**.**@***.**,cn=services,cn=accounts,dc=***,dc=**'.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 25 08:16:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jul 2016 10:16:17 +0200 Subject: [Freeipa-users] Unable to add CA on an already configured replica In-Reply-To: <312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com> References: <312415248.3085984.1469211457614.JavaMail.yahoo.ref@mail.yahoo.com> <312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com> Message-ID: <924ec71d-d1d2-7da6-98d2-677c0c070111@redhat.com> On 22.07.2016 20:17, pgb205 wrote: > Current topology: > ipa-srv1<->ipa-srv2 > > ipa-srv1 already has CA installed but *NOT *ipa-srv2. > > The reason I would like to add CA on ipa-srv2 is because I want the > setup to ultimately become > ipa-srv2<->ipa-srv2<->ipa-srv3 > > however I am unable to create gpg replication file on ipa-srv2 (to be > used to establish replication agreement to ipa-srv3) > as I get an error message: /Certificate operation cannot be completed: > Unable to communicate with CMS (Internal Server Error)/ > From what I've found gpg can only be created on replica with CA > installed. > > to install CA I tried the following command > /ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/ > This errors out at > / [8/21]: starting certificate server instance/ > /ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > restart the Dogtag instance.See the installation log for details./ > / [9/21]: importing CA chain to RA certificate database/ > / [error] RuntimeError: Unable to retrieve CA chain: request failed > with HTTP status 500/ /Hello, can you please check /var/log/pki/pki-tomcat/ca/debug for more specific errors? Regards, Martin / > / > systemctl status pki-tomcatd at pki-tomcat.service > / > shows the pki service is running, surprisingly. > > but it's still not listed in ipactl status output > > further attempts to install are halted with error : CA is already > installed on this system and I have to manually delete everything with: > pkidestroy -s CA -i pki-tomcat > 1003 rm -rf /var/log/pki/pki-tomcat > 1004 rm -rf /etc/sysconfig/pki-tomcat > 1005 rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat > 1006 rm -rf /var/lib/pki/pki-tomcat > 1007 rm -rf /etc/pki/pki-tomcat > > > in error logs the one message that stands out is: > 500 internal server error. which repeats multiple times at the end of > log file. > > Please suggest on what can be done in this situation. > > PS: regarding pkidestroy and pkiremove commands. What is the > difference or does pkidestroy superceeds pkiremove. > Alexander B suggests pkiremove in one of his older posts and 'yum > whatprovides pkiremove' also suggests that it should be available. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 25 08:32:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jul 2016 10:32:09 +0200 Subject: [Freeipa-users] vaults and service accounts In-Reply-To: References: Message-ID: On 24.07.2016 16:33, Anthony Clark wrote: > Hello All, > > I have a crazy notion of storing a host's SSH private keys in a ipa > vault, so that a rebuilt host can use the same keys. > > I'm on CentOS 7.2 and I'm using the RPMs available in the standard > centos base repository, so I'm constrained to version 1.0 vaults. I'm > using this page: > http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance > > I'm trying these following steps but running into trouble: > > ipa service-add ssh/test01.dev.redacted.net > > > certutil -N -d testcertdb > > certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net > ,O=DEV.REDACTED.NET > ' > > > ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K > ssh/test01.dev.redacted.net at DEV.REDACTED.NET > > > ipa vault-add testsshd02 --service > ssh/test01.dev.redacted.net at DEV.REDACTED.NET > --type asymmetric > --public-key-file testsshd01-cert.pem > > the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': > Invalid or unsupported vault public key: Could not unserialize key data." > > Is there a preferred way to create a public key for asymmetric > encryption for a service vault? > > Thanks, > > Anthony Clark > > Hello, I suspect you should use just private key, not certificate https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL Regards, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From julliot at ljll.math.upmc.fr Mon Jul 25 09:58:49 2016 From: julliot at ljll.math.upmc.fr (=?UTF-8?Q?S=c3=a9bastien_Julliot?=) Date: Mon, 25 Jul 2016 11:58:49 +0200 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: <57926A28.8050708@redhat.com> References: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> <57926A28.8050708@redhat.com> Message-ID: <4f41115b-964e-0668-cbd0-9ad8746684ef@ljll.math.upmc.fr> Hello Rob, The indicated method was unsuccessful, but I found another way to do it :) Here is a summary of my unsuccessful tests : ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' ------------------------------- Utilisateur ? testuser ? ajout? ------------------------------- Now I am able to log as /testuser /. Yet, despite having added admin as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config ? ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns dn: cn=ipa_pwd_extop,cn=plugins,cn=config passsyncmanagersdns: cn=Directory Manager passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr I still get an error when trying to set pre-hashed passwords : ? ~ cat change_testuser_passwd.ldif dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr changetype: modify replace: userpassword userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= ? ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif Enter LDAP Password: modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" ldap_modify: Constraint violation (19) additional info: Pre-Encoded passwords are not valid However, I noted that using ldappasswd does the job, /even without having set passSyncManagerDNs. /It is not as clean as if I could have use freeipa API to change passwords, but for lack of better, it will do the job. Le 22/07/2016 ? 20:47, Rob Crittenden a ?crit : > S?bastien Julliot wrote: >> Hi Petr, >> >> >> Thanks for the documentations. I already had followed the steps from the >> NIS migration page, it works, but does not solve my problem, which is to >> change *already existing users* passwords. >> >> When trying >> >> ipa user-mod testuser --setattr >> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >> >> I get "Pre-Encoded passwords are not valid" > > Look at the first link Petr sent you. There is a password sync manager > setting that should be able to insert pre-hashed passwords. > > rob > >> >> >> >> Le 22/07/2016 ? 15:08, Petr Vobornik a ?crit : >>> On 07/22/2016 11:42 AM, S?bastien Julliot wrote: >>>> Hello everyone, >>>> >>>> I am currently trying to deploy FreeIPA as the new idm system in my >>>> university but came across a problem I could not solve yet. I need to >>>> bypass the pre-hashed passwords verification, not only on the user >>>> creation. >>>> >>>> Due to several constraints, our workflow involves periodically (once a >>>> day, currently) receiving an ldif file containing the users up-to-date >>>> informations, (including hashed passwords) and inserting this >>>> informations into the idm. As our goal is to unify users passwords in >>>> the university but do not have access to the higher-level LDAP >>>> directly, >>>> we injected this pre-hashed passwords directly into the LDAP until >>>> today. >>>> >>>> Yet, every attempt I made to update users passwords with pre-hashed >>>> passwords failed for now. >>>> >>>> First I tried this (migration mode enabled): >>>> >>>> ? ~ ipa user-add testuser --first=test --last=user --setattr >>>> userpassword='{MD5}*********************' >>>> >>>> /*OK*/ >>>> >>>> ? ~ kinit testuser >>>> >>>> kinit: Generic preauthentication failure while getting initial >>>> credentials >>>> >>>> As expected from the documentation, it does not work :p >>>> >>>> I then thought about trying to copy the migration plug-in, and change >>>> the way it retrieves users (from LDIF rather than from an online LDAP >>>> server). Since this plugin is able to But again, event binding as >>>> Directory Manager, the ipa ldap2 backend method add_entry refuses >>>> me (I >>>> tested my code without the userPassword field and the users are >>>> correctly inserted). >>>> >>>> Here is my code : >>>> >>>> class ldif_importer(ldif.LDIFParser): >>>> def __init__(self, ldap_backend): >>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >>>> self.ldap = ldap_backend >>>> >>>> def handle(self, dn, entry): >>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >>>> >>>> class my_backend(ipalib.Backend): >>>> '''Backend to import ldap passwords from ldif''' >>>> >>>> def __init__(self, api): >>>> ipalib.Backend.__init__(self, api) >>>> self.ldap = ldap2(self.api) >>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >>>> bind_pw='***********') >>>> >>>> def parse(self): >>>> importer = ldif_importer(self.ldap) >>>> importer.parse() >>>> >>>> class my_command(ipalib.Command): >>>> '''Command calling my_backend to import passwords from ldif''' >>>> >>>> def execute(self, **options): >>>> '''Implemented against my_backend''' >>>> self.Backend.my_backend.parse() >>>> return {'result': 'everything OK'} >>>> >>>> >>>> Should one of these methods have worked, and I did it incorrectly ? >>>> Otherwise, what would be the lower-impact solution to achieve this ? >>>> (Yes, I understand the security concerns about sending passwords >>>> hashes >>>> on the network but this choice does not depend on me) >>>> >>>> Many thanks in advance, >>>> Sebastien. >>>> >>> I issue might be that the user has his userPassword migrated but he >>> doesn't have krbPrincipalKey generated. If kerberos key is missing then >>> it is automatically generated on successful LDAP bind (it's what >>> ipa/migration page does) >>> >>> Additional info which might interest you: >>> * >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync >>> >>> * >>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From julliot at ljll.math.upmc.fr Mon Jul 25 12:00:30 2016 From: julliot at ljll.math.upmc.fr (=?UTF-8?Q?S=c3=a9bastien_Julliot?=) Date: Mon, 25 Jul 2016 14:00:30 +0200 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: <4f41115b-964e-0668-cbd0-9ad8746684ef@ljll.math.upmc.fr> References: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> <57926A28.8050708@redhat.com> <4f41115b-964e-0668-cbd0-9ad8746684ef@ljll.math.upmc.fr> Message-ID: <19f0115e-adc1-f860-0a7f-527fbac210e3@ljll.math.upmc.fr> Looks like I spoke too fast. Using ldappasswd, no problems with ldap queries. But kinit rejects my password .. Le 25/07/2016 ? 11:58, S?bastien Julliot a ?crit : > Hello Rob, > > The indicated method was unsuccessful, but I found another way to do it :) > > Here is a summary of my unsuccessful tests : > ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' > ------------------------------- > Utilisateur ? testuser ? ajout? > ------------------------------- > > Now I am able to log as /testuser /. Yet, despite having added admin > as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config > ? ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > passsyncmanagersdns: cn=Directory Manager > passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr > > I still get an error when trying to set pre-hashed passwords : > ? ~ cat change_testuser_passwd.ldif > dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr > changetype: modify > replace: userpassword > userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= > ? ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif > Enter LDAP Password: > modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" > ldap_modify: Constraint violation (19) > additional info: Pre-Encoded passwords are not valid > > However, I noted that using ldappasswd does the job, /even without > having set passSyncManagerDNs. > > /It is not as clean as if I could have use freeipa API to change > passwords, but for lack of better, it will do the job. > > Le 22/07/2016 ? 20:47, Rob Crittenden a ?crit : >> S?bastien Julliot wrote: >>> Hi Petr, >>> >>> >>> Thanks for the documentations. I already had followed the steps from >>> the >>> NIS migration page, it works, but does not solve my problem, which >>> is to >>> change *already existing users* passwords. >>> >>> When trying >>> >>> ipa user-mod testuser --setattr >>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >>> >>> I get "Pre-Encoded passwords are not valid" >> >> Look at the first link Petr sent you. There is a password sync >> manager setting that should be able to insert pre-hashed passwords. >> >> rob >> >>> >>> >>> >>> Le 22/07/2016 ? 15:08, Petr Vobornik a ?crit : >>>> On 07/22/2016 11:42 AM, S?bastien Julliot wrote: >>>>> Hello everyone, >>>>> >>>>> I am currently trying to deploy FreeIPA as the new idm system in my >>>>> university but came across a problem I could not solve yet. I need to >>>>> bypass the pre-hashed passwords verification, not only on the user >>>>> creation. >>>>> >>>>> Due to several constraints, our workflow involves periodically >>>>> (once a >>>>> day, currently) receiving an ldif file containing the users >>>>> up-to-date >>>>> informations, (including hashed passwords) and inserting this >>>>> informations into the idm. As our goal is to unify users passwords in >>>>> the university but do not have access to the higher-level LDAP >>>>> directly, >>>>> we injected this pre-hashed passwords directly into the LDAP until >>>>> today. >>>>> >>>>> Yet, every attempt I made to update users passwords with pre-hashed >>>>> passwords failed for now. >>>>> >>>>> First I tried this (migration mode enabled): >>>>> >>>>> ? ~ ipa user-add testuser --first=test --last=user --setattr >>>>> userpassword='{MD5}*********************' >>>>> >>>>> /*OK*/ >>>>> >>>>> ? ~ kinit testuser >>>>> >>>>> kinit: Generic preauthentication failure while getting initial >>>>> credentials >>>>> >>>>> As expected from the documentation, it does not work :p >>>>> >>>>> I then thought about trying to copy the migration plug-in, and change >>>>> the way it retrieves users (from LDIF rather than from an online LDAP >>>>> server). Since this plugin is able to But again, event binding as >>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses >>>>> me (I >>>>> tested my code without the userPassword field and the users are >>>>> correctly inserted). >>>>> >>>>> Here is my code : >>>>> >>>>> class ldif_importer(ldif.LDIFParser): >>>>> def __init__(self, ldap_backend): >>>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >>>>> self.ldap = ldap_backend >>>>> >>>>> def handle(self, dn, entry): >>>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >>>>> >>>>> class my_backend(ipalib.Backend): >>>>> '''Backend to import ldap passwords from ldif''' >>>>> >>>>> def __init__(self, api): >>>>> ipalib.Backend.__init__(self, api) >>>>> self.ldap = ldap2(self.api) >>>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >>>>> bind_pw='***********') >>>>> >>>>> def parse(self): >>>>> importer = ldif_importer(self.ldap) >>>>> importer.parse() >>>>> >>>>> class my_command(ipalib.Command): >>>>> '''Command calling my_backend to import passwords from ldif''' >>>>> >>>>> def execute(self, **options): >>>>> '''Implemented against my_backend''' >>>>> self.Backend.my_backend.parse() >>>>> return {'result': 'everything OK'} >>>>> >>>>> >>>>> Should one of these methods have worked, and I did it incorrectly ? >>>>> Otherwise, what would be the lower-impact solution to achieve this ? >>>>> (Yes, I understand the security concerns about sending passwords >>>>> hashes >>>>> on the network but this choice does not depend on me) >>>>> >>>>> Many thanks in advance, >>>>> Sebastien. >>>>> >>>> I issue might be that the user has his userPassword migrated but he >>>> doesn't have krbPrincipalKey generated. If kerberos key is missing >>>> then >>>> it is automatically generated on successful LDAP bind (it's what >>>> ipa/migration page does) >>>> >>>> Additional info which might interest you: >>>> * >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync >>>> >>>> * >>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From igreen at redhat.com Mon Jul 25 12:49:32 2016 From: igreen at redhat.com (Ilan Green) Date: Mon, 25 Jul 2016 08:49:32 -0400 (EDT) Subject: [Freeipa-users] Freeipa and FQDN requirement In-Reply-To: <492242221.8948355.1469450567377.JavaMail.zimbra@redhat.com> Message-ID: <1960034724.8949773.1469450972397.JavaMail.zimbra@redhat.com> Hello, Customer wants to switch between the IPA server FQDN and short name in /etc/hosts (having the short name first) post IPA install? Can anyone please confirm that the suggestions & reservations listed by Simo Sorce in the following thread still apply - i.e. no RFE was ever applied yet? https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00079 mainly: https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00104 https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00105 Thanks, Ilan Green Senior Technical Account Manager - EMEA Red Hat Mobile (+972) 52 3403218 email: igreen at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jul 25 12:57:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jul 2016 14:57:54 +0200 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: <19f0115e-adc1-f860-0a7f-527fbac210e3@ljll.math.upmc.fr> References: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> <57926A28.8050708@redhat.com> <4f41115b-964e-0668-cbd0-9ad8746684ef@ljll.math.upmc.fr> <19f0115e-adc1-f860-0a7f-527fbac210e3@ljll.math.upmc.fr> Message-ID: <6d5cf123-c517-d1c0-504c-4fc91bc468f5@redhat.com> On 25.7.2016 14:00, S?bastien Julliot wrote: > Looks like I spoke too fast. Using ldappasswd, no problems with ldap > queries. > > But kinit rejects my password .. AFAIK this works only for LDAP ADD operation. Rob, do you remember? Petr^2 Spacek > Le 25/07/2016 ? 11:58, S?bastien Julliot a ?crit : >> Hello Rob, >> >> The indicated method was unsuccessful, but I found another way to do it :) >> >> Here is a summary of my unsuccessful tests : >> ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' >> ------------------------------- >> Utilisateur ? testuser ? ajout? >> ------------------------------- >> >> Now I am able to log as /testuser /. Yet, despite having added admin >> as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config >> ? ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns >> dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> passsyncmanagersdns: cn=Directory Manager >> passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> >> I still get an error when trying to set pre-hashed passwords : >> ? ~ cat change_testuser_passwd.ldif >> dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> changetype: modify >> replace: userpassword >> userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= >> ? ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif >> Enter LDAP Password: >> modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" >> ldap_modify: Constraint violation (19) >> additional info: Pre-Encoded passwords are not valid >> >> However, I noted that using ldappasswd does the job, /even without >> having set passSyncManagerDNs. >> >> /It is not as clean as if I could have use freeipa API to change >> passwords, but for lack of better, it will do the job. >> >> Le 22/07/2016 ? 20:47, Rob Crittenden a ?crit : >>> S?bastien Julliot wrote: >>>> Hi Petr, >>>> >>>> >>>> Thanks for the documentations. I already had followed the steps from >>>> the >>>> NIS migration page, it works, but does not solve my problem, which >>>> is to >>>> change *already existing users* passwords. >>>> >>>> When trying >>>> >>>> ipa user-mod testuser --setattr >>>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >>>> >>>> I get "Pre-Encoded passwords are not valid" >>> >>> Look at the first link Petr sent you. There is a password sync >>> manager setting that should be able to insert pre-hashed passwords. >>> >>> rob >>> >>>> >>>> >>>> >>>> Le 22/07/2016 ? 15:08, Petr Vobornik a ?crit : >>>>> On 07/22/2016 11:42 AM, S?bastien Julliot wrote: >>>>>> Hello everyone, >>>>>> >>>>>> I am currently trying to deploy FreeIPA as the new idm system in my >>>>>> university but came across a problem I could not solve yet. I need to >>>>>> bypass the pre-hashed passwords verification, not only on the user >>>>>> creation. >>>>>> >>>>>> Due to several constraints, our workflow involves periodically >>>>>> (once a >>>>>> day, currently) receiving an ldif file containing the users >>>>>> up-to-date >>>>>> informations, (including hashed passwords) and inserting this >>>>>> informations into the idm. As our goal is to unify users passwords in >>>>>> the university but do not have access to the higher-level LDAP >>>>>> directly, >>>>>> we injected this pre-hashed passwords directly into the LDAP until >>>>>> today. >>>>>> >>>>>> Yet, every attempt I made to update users passwords with pre-hashed >>>>>> passwords failed for now. >>>>>> >>>>>> First I tried this (migration mode enabled): >>>>>> >>>>>> ? ~ ipa user-add testuser --first=test --last=user --setattr >>>>>> userpassword='{MD5}*********************' >>>>>> >>>>>> /*OK*/ >>>>>> >>>>>> ? ~ kinit testuser >>>>>> >>>>>> kinit: Generic preauthentication failure while getting initial >>>>>> credentials >>>>>> >>>>>> As expected from the documentation, it does not work :p >>>>>> >>>>>> I then thought about trying to copy the migration plug-in, and change >>>>>> the way it retrieves users (from LDIF rather than from an online LDAP >>>>>> server). Since this plugin is able to But again, event binding as >>>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses >>>>>> me (I >>>>>> tested my code without the userPassword field and the users are >>>>>> correctly inserted). >>>>>> >>>>>> Here is my code : >>>>>> >>>>>> class ldif_importer(ldif.LDIFParser): >>>>>> def __init__(self, ldap_backend): >>>>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >>>>>> self.ldap = ldap_backend >>>>>> >>>>>> def handle(self, dn, entry): >>>>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >>>>>> >>>>>> class my_backend(ipalib.Backend): >>>>>> '''Backend to import ldap passwords from ldif''' >>>>>> >>>>>> def __init__(self, api): >>>>>> ipalib.Backend.__init__(self, api) >>>>>> self.ldap = ldap2(self.api) >>>>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >>>>>> bind_pw='***********') >>>>>> >>>>>> def parse(self): >>>>>> importer = ldif_importer(self.ldap) >>>>>> importer.parse() >>>>>> >>>>>> class my_command(ipalib.Command): >>>>>> '''Command calling my_backend to import passwords from ldif''' >>>>>> >>>>>> def execute(self, **options): >>>>>> '''Implemented against my_backend''' >>>>>> self.Backend.my_backend.parse() >>>>>> return {'result': 'everything OK'} >>>>>> >>>>>> >>>>>> Should one of these methods have worked, and I did it incorrectly ? >>>>>> Otherwise, what would be the lower-impact solution to achieve this ? >>>>>> (Yes, I understand the security concerns about sending passwords >>>>>> hashes >>>>>> on the network but this choice does not depend on me) >>>>>> >>>>>> Many thanks in advance, >>>>>> Sebastien. >>>>>> >>>>> I issue might be that the user has his userPassword migrated but he >>>>> doesn't have krbPrincipalKey generated. If kerberos key is missing >>>>> then >>>>> it is automatically generated on successful LDAP bind (it's what >>>>> ipa/migration page does) >>>>> >>>>> Additional info which might interest you: >>>>> * >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync >>>>> >>>>> * >>>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >>>>> >>>>> >>>> >>> >> > > > > -- Petr^2 Spacek From pspacek at redhat.com Mon Jul 25 13:01:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jul 2016 15:01:39 +0200 Subject: [Freeipa-users] Freeipa and FQDN requirement In-Reply-To: <1960034724.8949773.1469450972397.JavaMail.zimbra@redhat.com> References: <1960034724.8949773.1469450972397.JavaMail.zimbra@redhat.com> Message-ID: On 25.7.2016 14:49, Ilan Green wrote: > Hello, > Customer wants to switch between the IPA server FQDN and short name in /etc/hosts (having the short name first) post IPA install? > > Can anyone please confirm that the suggestions & reservations listed by Simo Sorce in the following thread still apply - i.e. no RFE was ever applied yet? > https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00079 > > mainly: > https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00104 > https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00105 This might or might not work, we do not test this scenario. In any case it goes directly against procedures in official docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs ... so do not be surprised if things break. In general we strongly recommend to use a dedicated machine for IdM server for security reasons. There should be no technical reason not to use FQDN hostname for a dedicated VM as the requirement for short names as hostname usually comes from crappy applications. -- Petr^2 Spacek From igreen at redhat.com Mon Jul 25 13:15:41 2016 From: igreen at redhat.com (Ilan Green) Date: Mon, 25 Jul 2016 09:15:41 -0400 (EDT) Subject: [Freeipa-users] Freeipa and FQDN requirement In-Reply-To: References: <1960034724.8949773.1469450972397.JavaMail.zimbra@redhat.com> Message-ID: <7582459.8957971.1469452541876.JavaMail.zimbra@redhat.com> Thanks, The issue per customer is having loads of legacy applications programmed to use short host names - it will be cumbersome to fix it Ilan Green Senior Technical Account Manager - EMEA Red Hat Mobile (+972) 52 3403218 email: igreen at redhat.com ----- Original Message ----- > From: "Petr Spacek" > To: freeipa-users at redhat.com > Sent: Monday, July 25, 2016 4:01:39 PM > Subject: Re: [Freeipa-users] Freeipa and FQDN requirement > On 25.7.2016 14:49, Ilan Green wrote: > > Hello, > > Customer wants to switch between the IPA server FQDN and short name in > > /etc/hosts (having the short name first) post IPA install? > > > > Can anyone please confirm that the suggestions & reservations listed by > > Simo Sorce in the following thread still apply - i.e. no RFE was ever > > applied yet? > > https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00079 > > > > mainly: > > https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00104 > > https://www.redhat.com/archives/freeipa-users/2014-August/thread.html#00105 > This might or might not work, we do not test this scenario. > In any case it goes directly against procedures in official docs: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs > ... so do not be surprised if things break. > In general we strongly recommend to use a dedicated machine for IdM server > for > security reasons. There should be no technical reason not to use FQDN > hostname > for a dedicated VM as the requirement for short names as hostname usually > comes from crappy applications. > -- > Petr^2 Spacek > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Alston at sabre.com Mon Jul 25 13:24:27 2016 From: David.Alston at sabre.com (Alston, David) Date: Mon, 25 Jul 2016 08:24:27 -0500 Subject: [Freeipa-users] Replicating users/groups from AD In-Reply-To: <1469202552.18067.50.camel@redhat.com> References: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C05B8@SGTULMMP001.Global.ad.sabre.com> <1469202552.18067.50.camel@redhat.com> Message-ID: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C0837@SGTULMMP001.Global.ad.sabre.com> Greetings! Yes, I had been hoping there would be a way to incorporate domain trusts between Active Directory and FreeIPA while the clients relying on these for identity management shared the same DNS domain (eg. linux.company.com and windows.company.com). It sounds like that isn't going to happen. Account replication seems like another way for Active Directory users to be able to login to servers to use the same username/password for logging in. It wouldn't have SSO, but at least a user would be able to use the same username/password everywhere. Replicating user accounts from an external AD/LDAP server seems to be built-in, at the moment. There aren't any plans to take that away, is there? Ideally, I'd want a two way sync so that password changes and user group changes are replicated back to AD as well. --David Alston -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Friday, July 22, 2016 10:49 AM To: Alston, David Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replicating users/groups from AD On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: > Greetings! > > I realize that FreeIPA is supposed to be setup as master of its > own domain, but are there any plans to continue the account > replication functionality that has already been in FreeIPA? I had > heard rumor that it would be possible to have FreeIPA and Active > Directory coexist in the same domain in some release in the future. > Am I waiting for a feature that will never come? Hi David, in order to respond to your question an idea of what are your expectations would is needed. If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they will never coexists. If by Domain you mean DNS Domain read then FreeIPA can work in the same domain as AD but only if you do not care for them interacting (at the kerberos level, no trusts, no SSO). You can basically have only one association between a DNS domain and a Realm, and a DNS domain is either going to be associated to the AD Domain server or to the IPA Domain. Synchronization, however is a completely unrelated topic, and I can't give you an answer on that side as I do not understand how it would relate to the coexistence of FreeIPA and AD in a single DNS domain. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Mon Jul 25 13:28:31 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Jul 2016 16:28:31 +0300 Subject: [Freeipa-users] Freeipa and FQDN requirement In-Reply-To: <7582459.8957971.1469452541876.JavaMail.zimbra@redhat.com> References: <1960034724.8949773.1469450972397.JavaMail.zimbra@redhat.com> <7582459.8957971.1469452541876.JavaMail.zimbra@redhat.com> Message-ID: <20160725132831.lgflbg7p2h5zxszj@redhat.com> On Mon, 25 Jul 2016, Ilan Green wrote: >Thanks, >The issue per customer is having loads of legacy applications >programmed to use short host names - it will be cumbersome to fix it What Petr asked about is to not host IPA server on the same machine as those legacy apps. Have IPA servers separate from legacy apps. There is no need to rename all legacy hosts but there is also no need to have IPA master hosted on the same machine as any of those legacy hosts. -- / Alexander Bokovoy From simo at redhat.com Mon Jul 25 13:30:21 2016 From: simo at redhat.com (Simo Sorce) Date: Mon, 25 Jul 2016 09:30:21 -0400 Subject: [Freeipa-users] Replicating users/groups from AD In-Reply-To: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C0837@SGTULMMP001.Global.ad.sabre.com> References: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C05B8@SGTULMMP001.Global.ad.sabre.com> <1469202552.18067.50.camel@redhat.com> <2ACC1CF6D843104C9F5EA130AD3159B531BF8C0837@SGTULMMP001.Global.ad.sabre.com> Message-ID: <1469453421.18067.71.camel@redhat.com> On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: > Greetings! > > Yes, I had been hoping there would be a way to incorporate domain > trusts between Active Directory and FreeIPA while the clients relying > on these for identity management shared the same DNS domain (eg. > linux.company.com and windows.company.com). It sounds like that isn't > going to happen. These are two different domains, as long as linuc.company.com is used only by freeIPA this configuration is already supported via trust relationship. > Account replication seems like another way for Active Directory > users to be able to login to servers to use the same username/password > for logging in. It wouldn't have SSO, but at least a user would be > able to use the same username/password everywhere. Replicating user > accounts from an external AD/LDAP server seems to be built-in, at the > moment. There aren't any plans to take that away, is there? Ideally, > I'd want a two way sync so that password changes and user group > changes are replicated back to AD as well. winsync is not being further developed but we have no plans to take it away. Simo. > --David Alston > > -----Original Message----- > From: Simo Sorce [mailto:simo at redhat.com] > Sent: Friday, July 22, 2016 10:49 AM > To: Alston, David > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Replicating users/groups from AD > > On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: > > Greetings! > > > > > > I realize that FreeIPA is supposed to be setup as master of its > > > own domain, but are there any plans to continue the account > > > replication functionality that has already been in FreeIPA? I had > > > heard rumor that it would be possible to have FreeIPA and Active > > > Directory coexist in the same domain in some release in the future. > > > Am I waiting for a feature that will never come? > > > Hi David, > in order to respond to your question an idea of what are your expectations would is needed. > > If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they will never coexists. > > If by Domain you mean DNS Domain read then FreeIPA can work in the same domain as AD but only if you do not care for them interacting (at the kerberos level, no trusts, no SSO). > You can basically have only one association between a DNS domain and a Realm, and a DNS domain is either going to be associated to the AD Domain server or to the IPA Domain. > > Synchronization, however is a completely unrelated topic, and I can't give you an answer on that side as I do not understand how it would > relate to the coexistence of FreeIPA and AD in a single DNS domain. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Mon Jul 25 13:50:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Jul 2016 15:50:54 +0200 Subject: [Freeipa-users] Replicating users/groups from AD In-Reply-To: <1469453421.18067.71.camel@redhat.com> References: <2ACC1CF6D843104C9F5EA130AD3159B531BF8C05B8@SGTULMMP001.Global.ad.sabre.com> <1469202552.18067.50.camel@redhat.com> <2ACC1CF6D843104C9F5EA130AD3159B531BF8C0837@SGTULMMP001.Global.ad.sabre.com> <1469453421.18067.71.camel@redhat.com> Message-ID: <83ce8a94-2990-7f14-36da-117bafa64003@redhat.com> On 25.7.2016 15:30, Simo Sorce wrote: > On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: >> Greetings! >> >> Yes, I had been hoping there would be a way to incorporate domain >> trusts between Active Directory and FreeIPA while the clients relying >> on these for identity management shared the same DNS domain (eg. >> linux.company.com and windows.company.com). It sounds like that isn't >> going to happen. > > These are two different domains, as long as linuc.company.com is used > only by freeIPA this configuration is already supported via trust > relationship. Let me add that there are workarounds for other cases as well: http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ Petr^2 Spacek > >> Account replication seems like another way for Active Directory >> users to be able to login to servers to use the same username/password >> for logging in. It wouldn't have SSO, but at least a user would be >> able to use the same username/password everywhere. Replicating user >> accounts from an external AD/LDAP server seems to be built-in, at the >> moment. There aren't any plans to take that away, is there? Ideally, >> I'd want a two way sync so that password changes and user group >> changes are replicated back to AD as well. > > winsync is not being further developed but we have no plans to take it > away. > > Simo. > >> --David Alston >> >> -----Original Message----- >> From: Simo Sorce [mailto:simo at redhat.com] >> Sent: Friday, July 22, 2016 10:49 AM >> To: Alston, David >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Replicating users/groups from AD >> >> On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: >>> Greetings! >> >>> >> >>> I realize that FreeIPA is supposed to be setup as master of its >> >>> own domain, but are there any plans to continue the account >> >>> replication functionality that has already been in FreeIPA? I had >> >>> heard rumor that it would be possible to have FreeIPA and Active >> >>> Directory coexist in the same domain in some release in the future. >> >>> Am I waiting for a feature that will never come? >> >> >> Hi David, >> in order to respond to your question an idea of what are your expectations would is needed. >> >> If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they will never coexists. >> >> If by Domain you mean DNS Domain read then FreeIPA can work in the same domain as AD but only if you do not care for them interacting (at the kerberos level, no trusts, no SSO). >> You can basically have only one association between a DNS domain and a Realm, and a DNS domain is either going to be associated to the AD Domain server or to the IPA Domain. >> >> Synchronization, however is a completely unrelated topic, and I can't give you an answer on that side as I do not understand how it would >> relate to the coexistence of FreeIPA and AD in a single DNS domain. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York From suygur at firstderivatives.com Mon Jul 25 14:13:49 2016 From: suygur at firstderivatives.com (Stefan Uygur) Date: Mon, 25 Jul 2016 14:13:49 +0000 Subject: [Freeipa-users] listing users, groups and the host they access with sudo rules Message-ID: <38C784D32FB4354DAED01CCB1BB505351747BBDA@mail01.firstderivatives.com> Hi everyone, I am using ipa-server-3.0.0-47.el6_7.2.x86_64 on my redhat 6 and I was wondering if there is a way in IPA to list the users, with their group and the hosts they can access along with sudo permissions. This is for auditing purposes and IPA doesn't seem to have a functionality that would help rather than performing manual commands to collect all this data, which will require quite time. So I was wondering if anyone had similar needs and how they overcome to this issue (knowing that IPA doesn't have auditing part covered). Thanks Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthonyclarka2 at gmail.com Mon Jul 25 14:22:02 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Mon, 25 Jul 2016 10:22:02 -0400 Subject: [Freeipa-users] vaults and service accounts In-Reply-To: References: Message-ID: I wondered about that, but the docs specifically say public key, and the command line option to "ipa vault-add" is "--public-key" >From "ipa vault-add --help" --public-key=BYTES Vault public key --public-key-file=STR File containing the vault public key So I hope you can understand my confusion ;) Can anyone else speak to whether the newer versions of the vault code is any different? Thank you, Martin! On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti wrote: > > > On 24.07.2016 16:33, Anthony Clark wrote: > > Hello All, > > I have a crazy notion of storing a host's SSH private keys in a ipa vault, > so that a rebuilt host can use the same keys. > > I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos > base repository, so I'm constrained to version 1.0 vaults. I'm using this > page: > http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance > > I'm trying these following steps but running into trouble: > > ipa service-add ssh/test01.dev.redacted.net > > certutil -N -d testcertdb > > certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O= > DEV.REDACTED.NET' > > > ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/ > test01.dev.redacted.net at DEV.REDACTED.NET > > ipa vault-add testsshd02 --service ssh/ > > test01.dev.redacted.net at DEV.REDACTED.NET --type asymmetric > --public-key-file testsshd01-cert.pem > > the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': > Invalid or unsupported vault public key: Could not unserialize key data." > > Is there a preferred way to create a public key for asymmetric encryption > for a service vault? > > Thanks, > > Anthony Clark > > > > Hello, > I suspect you should use just private key, not certificate > > https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL > > Regards, > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jul 25 14:36:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 25 Jul 2016 16:36:03 +0200 Subject: [Freeipa-users] vaults and service accounts In-Reply-To: References: Message-ID: On 25.07.2016 16:22, Anthony Clark wrote: > I wondered about that, but the docs specifically say public key, and > the command line option to "ipa vault-add" is "--public-key" > > From "ipa vault-add --help" > > --public-key=BYTES Vault public key > --public-key-file=STR File containing the vault public key > > So I hope you can understand my confusion ;) > > Can anyone else speak to whether the newer versions of the vault code > is any different? > > Thank you, Martin! > Yeah sorry, I meant public key, private key is used for decipher. My point was just not to use certificate. Martin > > On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti > wrote: > > > > On 24.07.2016 16:33, Anthony Clark wrote: >> Hello All, >> >> I have a crazy notion of storing a host's SSH private keys in a >> ipa vault, so that a rebuilt host can use the same keys. >> >> I'm on CentOS 7.2 and I'm using the RPMs available in the >> standard centos base repository, so I'm constrained to version >> 1.0 vaults. I'm using this page: >> http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance >> >> I'm trying these following steps but running into trouble: >> >> ipa service-add ssh/test01.dev.redacted.net >> >> >> certutil -N -d testcertdb >> >> certutil -R -d testcertdb -a -g 2048 -s >> 'CN=test01.dev.redacted.net >> ,O=DEV.REDACTED.NET >> ' >> >> >> ipa-getcert request -r -f testsshd01-cert.pem -k >> testsshd01-key.pem -K >> ssh/test01.dev.redacted.net at DEV.REDACTED.NET >> >> >> ipa vault-add testsshd02 --service >> ssh/test01.dev.redacted.net at DEV.REDACTED.NET >> --type >> asymmetric --public-key-file testsshd01-cert.pem >> >> the last command gives me "ipa: ERROR: invalid >> 'ipavaultpublickey': Invalid or unsupported vault public key: >> Could not unserialize key data." >> >> Is there a preferred way to create a public key for asymmetric >> encryption for a service vault? >> >> Thanks, >> >> Anthony Clark >> >> > > Hello, > I suspect you should use just private key, not certificate > > https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL > > Regards, > Martin > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.karasek at elostech.cz Mon Jul 25 14:54:19 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Mon, 25 Jul 2016 16:54:19 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <148211644.2050248.1469193591355.JavaMail.zimbra@elostech.cz> References: <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> <20160720160629.bietw7md672bm22c@redhat.com> <912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz> <148211644.2050248.1469193591355.JavaMail.zimbra@elostech.cz> Message-ID: <1648113236.2160185.1469458459691.JavaMail.zimbra@elostech.cz> Hi, just for the clarification: Do I really need IDMU on AD side installed for IPA-AD trust with -range-type=ipa-ad-trust-posix ? In W2012 all POSIX attributes are already in schema and idrange type can be forced. I just tried to remove IDMU from my AD and it's still working. What is the role of IDMU other than allowing to autodetect POSIX idrange type via the msSFU30OrderNumber msSFU30MaxUidNumber attributes ? Regards, Jan From: "Jan Kar?sek" To: "Justin Stephenson" Cc: "Alexander Bokovoy" , freeipa-users at redhat.com Sent: Friday, July 22, 2016 3:19:51 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes Hi, thanks a lot for help guys. It's working now. I can successfully read POSIX attributes from AD. Just now I'am storring uidNumber, gidNumber, gecos, loginShell and unixHomeDirectory in AD. I have trouble with homedir. It's using subdomain_homedir from sssd.conf and not reflecting the value of unixHomeDirectory attribute. Is there any way to use value from AD not from subdomain_homedir template for this parameter ? Regards, Jan From: "Justin Stephenson" To: "Jan Kar?sek" , "Alexander Bokovoy" Cc: freeipa-users at redhat.com Sent: Thursday, July 21, 2016 3:54:25 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes Hello, You should remove the following from sssd.conf: [domain/example.tt] debug_level = 7 ldap_id_mapping = False id_provider = ad With the AD trust configuration, you do not need to specify any additional domain because IPA will contact AD across the trust using the external and POSIX groups you created during the trust setup. Once done try restarting sssd and removing the /var/lib/sss/db/* cache Kind regards, Justin Stephenson On 07/21/2016 07:56 AM, Jan Kar?sek wrote: BQ_BEGIN Thank you. Now I have IDMU installed and when creating trust, IPA is correctly autodetecting the range type: Range name: EXAMPLE.TT_id_range First Posix ID of the range: 10000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 Range type: Active Directory trust range with POSIX attributes When asking for uid of the AD user: [root at ipa1 sssd]# id user1 at example.tt uid=1392001119( user1 at example.tt ) gid=1392001119( user1 at example.tt ) groups=1392001119( user1 at example.tt ),1392000513(domain users at example.tt ),979000007(external_users) ... so ID-mapping is still in action. According to doc: To use existing POSIX attributes, two things must be configured: * The POSIX attributes must be published to Active Directory's global catalog. - done with uidNumber, gidNumber * ID mapping ( ldap_id_mapping in the Active Directory domain entry) must be disabled in SSSD. - done Here is my sssd.conf from IPA server. Is there anything else I should do to switch off ID-mapping ? [domain/a.example.tt] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = a.example.tt id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.a.example.tt chpass_provider = ipa ipa_server = ipa1.a.example.tt ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #subdomain_inherit = ldap_user_principal #ldap_user_principal = nosuchattribute [domain/example.tt] debug_level = 7 ldap_id_mapping = False id_provider = ad [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = a.example.tt, example.tt [nss] #debug_level = 5 #homedir_substring = /home enum_cache_timeout = 2 entry_negative_timeout = 2 [pam] #debug_level = 5 [sudo] [autofs] [ssh] #debug_level = 4 [pac] #debug_level = 4 [ifp] Regards, Jan From: "Alexander Bokovoy" To: "Jan Kar?sek" Cc: "Justin Stephenson" , freeipa-users at redhat.com Sent: Wednesday, July 20, 2016 6:06:29 PM Subject: Re: [Freeipa-users] AD trust with POSIX attributes On Wed, 20 Jul 2016, Jan Kar?sek wrote: >Hi, > >thank you. > >ldapsearch reply: > >search: 2 >result: 32 No such object >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best >match of: >'CN=RpcServices,CN=System,DC=rwe,DC=tt' > >actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. > >Do I missed to set something on the AD site ? Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft removed IDMU tools. The LDAP schema will stay but there will be no means to visually edit POSIX attributes. https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ > >Thanks, >Jan > > > > > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" >Cc: freeipa-users at redhat.com >Sent: Wednesday, July 20, 2016 4:09:02 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > >These attributes should be available from port 389 and not the global catalog, please try a command such as: > >ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber > >Replacing the root suffix in the search base, the ip-address and bind credentials. > >Kind regards, >Justin Stephenson > >On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > > > >Hi, > >thank you for the hint. > >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > >If I understand it right, it is base uid number and the number of uids in range. > >If not discovered nor given via CLI, then it generate random base and add some default_range_size. > >So these two attributes must be set to use ipa-ad-trust-posix range ? > >Could anybody help me how and where to check these attributes ? I have looked in the ldapsearch dump from my AD(Global calaog) and I can see these attributes only in schema - so no values assigned. >I'm using W2012 R2. > >Thank you, >Jan > > > >From: "Justin Stephenson" >To: "Jan Kar?sek" , freeipa-users at redhat.com >Sent: Tuesday, July 19, 2016 8:36:00 PM >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > >Hello, > >When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will search AD for the ID space of existing POSIX attributes to automatically create a suitable ID range inside IPA. > >You can check the exact steps and attributes searched by looking at the add_range function definition in /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > >I would suggest reviewing the output of 'ipa idrange-find' to confirm that the range matches up with the uid and gidNumbers of your AD environment. > >Kind regards, >Justin Stephenson > >On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > >BQ_BEGIN > >Hi, > >I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? > >I have tried to set values of attributes before and after creating trust, I have tried different sssd setting but I'm still getting uid from IPA idrange pool instead of from AD user's attribute. > >What exactly is IPA checking when it tries to decide what type of trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > >Do I have to mandatory fill some AD user's attributes to get it work ? Currently I'am testing just with uidNumber and gidNumber. > >There is almost no documentation about this topic so I don't know what else I can try ... > >Thanks for help, > >Jan > > > >Date: Tue, 21 Jun 2016 21:38:15 +0200 >From: Jakub Hrozek >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] AD trust with POSIX attributes >Message-ID: <20160621193815.GS29512 at hendrix> >Content-Type: text/plain; charset=iso-8859-1 > >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: >> Hi all, >> >> I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. >> >> I have set up trust with this parameters: >> >> ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator > >Did you add the POSIX attributes to AD after creating the trust maybe? > >> >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range >> Range name: EXAMPLE.TT_id_range >> First Posix ID of the range: 1392000000 >> Number of IDs in the range: 200000 >> Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 >> Range type: Active Directory trust range with POSIX attributes >> >> >> I have set attributes in AD for user at EXAMPLE.TT >> - uidNumber -10000 >> - homeDirectory -/home/user >> - loginShell - /bin/bash >> >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. >> >> Problem is, that I am not getting uid from AD but from idrange: >> >> uid=1392001107( user at example.tt ) >> >> Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. > >This has no effect, in IPA-AD trust scenario, the id mapping properties >are managed on the server. > >> >> I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. > >I think idviews are better for overriding POSIX attributes for a >specific set of hosts, but in your environment, it sounds like you want >to use the POSIX attributes across the board. > >> >> So my questions are: >> >> Is it possible to read user's POSIX attributes directly from AD - namely uid ? > >Yes > >> Which atributes can be stored in AD ? > >Homedir is a bit special, for backwards compatibility the >subdomains_homedir takes precedence. The others should be read from AD. > >I don't have the environment set at the moment, though, so I'm operating >purely from memory. > >> Am I doing something wrong ? >> >> my sssd.conf: >> [domain/a.example.tt] >> debug_level = 5 >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = a.example.tt >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = ipa1.a.example.tt >> chpass_provider = ipa >> ipa_server = ipa1.a.example.tt >> ipa_server_mode = True >> ldap_tls_cacert = /etc/ipa/ca.crt >> #ldap_id_mapping = true >> #subdomain_inherit = ldap_user_principal >> #ldap_user_principal = nosuchattribute >> >> [sssd] >> services = nss, sudo, pam, ssh >> config_file_version = 2 >> >> domains = a.example.tt >> [nss] >> debug_level = 5 >> homedir_substring = /home >> enum_cache_timeout = 2 >> entry_negative_timeout = 2 >> >> >> [pam] >> debug_level = 5 >> [sudo] >> >> [autofs] >> >> [ssh] >> debug_level = 4 >> [pac] >> >> debug_level = 4 >> [ifp] >> >> Thanks, >> Jan > > > > > > > > > > > > >BQ_END > > >-- >Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy BQ_END -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 25 15:22:17 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2016 11:22:17 -0400 Subject: [Freeipa-users] Insufficient 'write' privilege to the 'userCertificate' In-Reply-To: <870937131.4770227.1469390567269.JavaMail.yahoo@mail.yahoo.com> References: <870937131.4770227.1469390567269.JavaMail.yahoo.ref@mail.yahoo.com> <870937131.4770227.1469390567269.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57962EA9.3050707@redhat.com> mohammad sereshki wrote: > hi > I get below error from "getcert list",would you please help me to solve it? > > ca-error: Server denied our request, giving up: 2100 (RPC failed at > server. Insufficient access: > Insufficient 'write' privilege to the 'userCertificate' attribute of entry > 'krbprincipalname=ldap/ipasrv.example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.). With so many threads on basically the same underlying issue it's difficult to tell what works and what doesn't work and what you've done to get past various blockers. What have you done to get past the "Error setting up ccache for local "host" service using default keytab" issue, for example? Generic things to do: - ipactl status to ensure all services are running - check /var/log/httpd/error_log for more information on the CA ACL issues. You may want to create /etc/ipa/server.conf with these contents: [global] debug = True Then restart httpd and try to reproduce for more verbose output. rob From rcritten at redhat.com Mon Jul 25 15:50:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2016 11:50:56 -0400 Subject: [Freeipa-users] Bypass pre-hashed passwords verification In-Reply-To: <19f0115e-adc1-f860-0a7f-527fbac210e3@ljll.math.upmc.fr> References: <4a4f611d-349a-8b2d-64ab-f26f0e858d48@redhat.com> <7e621b60-c4de-a9a7-5573-f2f5e206220a@ljll.math.upmc.fr> <57926A28.8050708@redhat.com> <4f41115b-964e-0668-cbd0-9ad8746684ef@ljll.math.upmc.fr> <19f0115e-adc1-f860-0a7f-527fbac210e3@ljll.math.upmc.fr> Message-ID: <57963560.5060704@redhat.com> S?bastien Julliot wrote: > Looks like I spoke too fast. Using ldappasswd, no problems with ldap > queries. > > But kinit rejects my password .. That is expected. You changed to a pre-hashed password (potentially) so how can IPA generate Kerberos credentials? I think ldappasswd working is a bug. IPA is designed to be the central identity source, so it needs to own passwords. You can import using an LDAP add pre-hashed passwords that can be migrated. You can't do an LDAP mod to set a pre-hashed password, even as a passsync mgr. rob > > > Le 25/07/2016 ? 11:58, S?bastien Julliot a ?crit : >> Hello Rob, >> >> The indicated method was unsuccessful, but I found another way to do it :) >> >> Here is a summary of my unsuccessful tests : >> ? ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' >> ------------------------------- >> Utilisateur ? testuser ? ajout? >> ------------------------------- >> >> Now I am able to log as /testuser /. Yet, despite having added admin >> as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config >> ? ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns >> dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> passsyncmanagersdns: cn=Directory Manager >> passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> >> I still get an error when trying to set pre-hashed passwords : >> ? ~ cat change_testuser_passwd.ldif >> dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> changetype: modify >> replace: userpassword >> userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= >> ? ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif >> Enter LDAP Password: >> modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" >> ldap_modify: Constraint violation (19) >> additional info: Pre-Encoded passwords are not valid >> >> However, I noted that using ldappasswd does the job, /even without >> having set passSyncManagerDNs. >> >> /It is not as clean as if I could have use freeipa API to change >> passwords, but for lack of better, it will do the job. >> >> Le 22/07/2016 ? 20:47, Rob Crittenden a ?crit : >>> S?bastien Julliot wrote: >>>> Hi Petr, >>>> >>>> >>>> Thanks for the documentations. I already had followed the steps from >>>> the >>>> NIS migration page, it works, but does not solve my problem, which >>>> is to >>>> change *already existing users* passwords. >>>> >>>> When trying >>>> >>>> ipa user-mod testuser --setattr >>>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >>>> >>>> I get "Pre-Encoded passwords are not valid" >>> >>> Look at the first link Petr sent you. There is a password sync >>> manager setting that should be able to insert pre-hashed passwords. >>> >>> rob >>> >>>> >>>> >>>> >>>> Le 22/07/2016 ? 15:08, Petr Vobornik a ?crit : >>>>> On 07/22/2016 11:42 AM, S?bastien Julliot wrote: >>>>>> Hello everyone, >>>>>> >>>>>> I am currently trying to deploy FreeIPA as the new idm system in my >>>>>> university but came across a problem I could not solve yet. I need to >>>>>> bypass the pre-hashed passwords verification, not only on the user >>>>>> creation. >>>>>> >>>>>> Due to several constraints, our workflow involves periodically >>>>>> (once a >>>>>> day, currently) receiving an ldif file containing the users >>>>>> up-to-date >>>>>> informations, (including hashed passwords) and inserting this >>>>>> informations into the idm. As our goal is to unify users passwords in >>>>>> the university but do not have access to the higher-level LDAP >>>>>> directly, >>>>>> we injected this pre-hashed passwords directly into the LDAP until >>>>>> today. >>>>>> >>>>>> Yet, every attempt I made to update users passwords with pre-hashed >>>>>> passwords failed for now. >>>>>> >>>>>> First I tried this (migration mode enabled): >>>>>> >>>>>> ? ~ ipa user-add testuser --first=test --last=user --setattr >>>>>> userpassword='{MD5}*********************' >>>>>> >>>>>> /*OK*/ >>>>>> >>>>>> ? ~ kinit testuser >>>>>> >>>>>> kinit: Generic preauthentication failure while getting initial >>>>>> credentials >>>>>> >>>>>> As expected from the documentation, it does not work :p >>>>>> >>>>>> I then thought about trying to copy the migration plug-in, and change >>>>>> the way it retrieves users (from LDIF rather than from an online LDAP >>>>>> server). Since this plugin is able to But again, event binding as >>>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses >>>>>> me (I >>>>>> tested my code without the userPassword field and the users are >>>>>> correctly inserted). >>>>>> >>>>>> Here is my code : >>>>>> >>>>>> class ldif_importer(ldif.LDIFParser): >>>>>> def __init__(self, ldap_backend): >>>>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >>>>>> self.ldap = ldap_backend >>>>>> >>>>>> def handle(self, dn, entry): >>>>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >>>>>> >>>>>> class my_backend(ipalib.Backend): >>>>>> '''Backend to import ldap passwords from ldif''' >>>>>> >>>>>> def __init__(self, api): >>>>>> ipalib.Backend.__init__(self, api) >>>>>> self.ldap = ldap2(self.api) >>>>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >>>>>> bind_pw='***********') >>>>>> >>>>>> def parse(self): >>>>>> importer = ldif_importer(self.ldap) >>>>>> importer.parse() >>>>>> >>>>>> class my_command(ipalib.Command): >>>>>> '''Command calling my_backend to import passwords from ldif''' >>>>>> >>>>>> def execute(self, **options): >>>>>> '''Implemented against my_backend''' >>>>>> self.Backend.my_backend.parse() >>>>>> return {'result': 'everything OK'} >>>>>> >>>>>> >>>>>> Should one of these methods have worked, and I did it incorrectly ? >>>>>> Otherwise, what would be the lower-impact solution to achieve this ? >>>>>> (Yes, I understand the security concerns about sending passwords >>>>>> hashes >>>>>> on the network but this choice does not depend on me) >>>>>> >>>>>> Many thanks in advance, >>>>>> Sebastien. >>>>>> >>>>> I issue might be that the user has his userPassword migrated but he >>>>> doesn't have krbPrincipalKey generated. If kerberos key is missing >>>>> then >>>>> it is automatically generated on successful LDAP bind (it's what >>>>> ipa/migration page does) >>>>> >>>>> Additional info which might interest you: >>>>> * >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync >>>>> >>>>> * >>>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >>>>> >>>>> >>>> >>> >> > From rakesh.rajasekharan at gmail.com Mon Jul 25 15:53:19 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Mon, 25 Jul 2016 21:23:19 +0530 Subject: [Freeipa-users] slow login with freeipa 4.2.0 Message-ID: Hi, I am facing slow login issue with IPA 4.2.0 version. The login takes around 18-19s date;ssh testuser at 10.16.32.4 Mon Jul 25 11:14:54 UTC 2016 testuser at 10.65.32.4's password: Last login: Mon Jul 25 11:10:35 2016 from 10.65.16.4 [testuser at ipa-client-1 :~] date Mon Jul 25 11:15:12 UTC 2016 I have tried most of the settings like "selinux_provider=none" as well as followed https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ However, still the slowness does not seem to go away. Below are my sssd_domain logs (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 120 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 120 timeout 6 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00eb6b0], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00eb6b0], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 120 finished (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Save user (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Processing user testuser (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): Adding originalDN [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com] to attributes of [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160725110654Z] to attributes of [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding user principal [testuser at xyz.COM] to attributes of [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20160511120919Z] to attributes of [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20160809120919Z] to attributes of [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [testuser]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Storing info for user testuser (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userCertificate] from [testuser] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 121 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 121 timeout 6 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 121 finished (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 122 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 122 timeout 6 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 122 finished (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 123 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 123 timeout 6 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d013c3d0], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d013c3d0], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 123 finished (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com, returned 0 results. Skipping (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 124 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 124 timeout 6 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 124 finished (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com,cn=sysdb))] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spradmins,cn=groups,cn=xyz.com ,cn=sysdb))] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spradmins is a member of 0 sysdb groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spradmins is a direct member of 0 LDAP groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spr-itops (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spr-itops,cn=groups,cn=xyz.com ,cn=sysdb))] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spr-itops is a member of 0 sysdb groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spr-itops is a direct member of 0 LDAP groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x1000): The user testuser is a direct member of 3 LDAP groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=testuser,cn=users,cn=xyz.com,cn=sysdb))] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): testuser is a member of 3 sysdb groups (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for testuser (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=xyz,dc=com] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=703)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 125 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 125 timeout 6 (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012c820], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 125 finished (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Processing group spradmins (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x2000): This is a posix group (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of [spradmins]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160722213052Z] to attributes of [spradmins]. (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Storing info for group spradmins (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Processing group spradmins (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Mon Jul 25 11:10:22 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): No members for group [spradmins] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sdap_nested_done] (0x2000): No external members, done(Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] (0x2000): 0x7f88d00f83a0 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[(nil)], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] (0x2000): 0x7f88d00f83a0 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 10.65.16.4 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 36265 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [testuser] is empty, running request [0x7f88d0128bd0] immediately. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'prod1-ipa-master-int.xyz.com' is 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of ' prod1-ipa-master-int.xyz.com' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'prod1-ipa-master-int.xyz.com' as 'name not resolved' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'prod1-ipa-master-int.xyz.com' is 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'prod1-ipa-master-int.xyz.com' is 'name not resolved' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' prod1-ipa-master-int.xyz.com' in files (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'prod1-ipa-master-int.xyz.com' as 'resolving name' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'prod1-ipa-master-int.xyz.com' in files (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' prod1-ipa-master-int.xyz.com' in DNS (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'prod1-ipa-master-int.xyz.com' as 'name resolved' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server prod1-ipa-master-int.xyz.com: [10.65.16.4] TTL 300 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://prod1-ipa-master-int.xyz.com' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [36271] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [36271] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'prod1-ipa-master-int.xyz.com' as 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'prod1-ipa-master-int.xyz.com' as 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'prod1-ipa-master-int.xyz.com' as 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [check_wait_queue] (0x1000): Wait queue for user [testuser] is empty. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f88d0128bd0] done. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][xyz.com] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][xyz.com] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [36271]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [36271] finished successfully. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 10.65.16.4 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 36265 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [testuser] is empty, running request [0x7f88d0128bd0] immediately. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'prod1-ipa-master-int.xyz.com' is 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'prod1-ipa-master-int.xyz.com' is 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'prod1-ipa-master-int.xyz.com' is 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server prod1-ipa-master-int.xyz.com: [10.65.16.4] TTL 300 (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [36272] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [36272] (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [36272]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [36272] finished successfully. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][35]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][28]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1469445023][1469445023][1469531423][0]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'prod1-ipa-master-int.xyz.com' as 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'prod1-ipa-master-int.xyz.com' as 'working' (Mon Jul 25 11:10:23 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'prod1-ipa-master-int.xyz.com' as 'working' (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [check_wait_queue] (0x1000): Wait queue for user [testuser] is empty. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f88d0128bd0] done. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][xyz.com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][xyz.com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 36265 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_access_send] (0x0400): Performing access check for user [testuser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [testuser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=10.65.32.4))][cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 126 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 126 timeout 60 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 126 finished (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com] using OpenLDAP deref (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 127 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 127 timeout 60 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 127 finished (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=xyz,dc=com][2][(objectClass=ipaHBACService)] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 128 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 128 timeout 60 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 128 finished (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=xyz,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 129 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 129 timeout 60 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 129 finished (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=xyz,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com)))] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com)))][cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 130 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 130 timeout 60 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=7f4abeae-176f-11e6-9090-000d3a01891b,cn=hbac,dc=xyz,dc=com]. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serviceCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [hostCategory] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 130 finished (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [allow_all] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [allow_all] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [allow_all] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [allow_all] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): [4] groups for [testuser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): Added group [ipausers] for user [testuser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): Added group [spradmins] for user [testuser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): Added group [spr-itops] for user [testuser] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][xyz.com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][xyz.com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[(nil)], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 10.65.16.4 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 36265 (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 25 11:10:24 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Sending result [0][xyz.com] (Mon Jul 25 11:10:32 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Jul 25 11:10:32 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 131 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 131 timeout 6 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d00f8b70], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 131 finished (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Save user (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Processing user testuser (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): Adding originalDN [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com] to attributes of [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160725111022Z] to attributes of [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding user principal [testuser at xyz.COM] to attributes of [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20160511120919Z] to attributes of [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20160809120919Z] to attributes of [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [testuser]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Storing info for user testuser (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userCertificate] from [testuser] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 132 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 132 timeout 6 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 132 finished (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 133 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 133 timeout 6 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 133 finished (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 134 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 134 timeout 6 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 134 finished (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com, returned 0 results. Skipping (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 135 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 135 timeout 6 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 135 finished (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com,cn=sysdb))] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spradmins,cn=groups,cn=xyz.com ,cn=sysdb))] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spradmins is a member of 0 sysdb groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spradmins is a direct member of 0 LDAP groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spr-itops (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spr-itops,cn=groups,cn=xyz.com ,cn=sysdb))] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spr-itops is a member of 0 sysdb groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spr-itops is a direct member of 0 LDAP groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x1000): The user testuser is a direct member of 3 LDAP groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=testuser,cn=users,cn=xyz.com,cn=sysdb))] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): testuser is a member of 3 sysdb groups (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for testuser (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=xyz,dc=com] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=703)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 136 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 136 timeout 6 (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[0x7f88d012ba00], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 136 finished (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Processing group spradmins (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x2000): This is a posix group (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of [spradmins]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160722213052Z] to attributes of [spradmins]. (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Storing info for group spradmins (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Processing group spradmins (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): No members for group [spradmins] (Mon Jul 25 11:10:34 2016) [sssd[be[xyz.com]]] [sdap_nested_done] (0x2000): No external members, done(Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] (0x2000): 0x7f88d00f83c0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d00eb060], connected[1], ops[(nil)], ldap[0x7f88d00dca80] (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] (0x2000): 0x7f88d00f83c0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 10.65.16.4 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 36265 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Sending result [0][xyz.com] (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 10.65.16.4 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 0 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 36274 (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Mon Jul 25 11:10:35 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Sending result [0][xyz.com] any pointers here to how can i solve this issue Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Jul 25 17:36:29 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 Jul 2016 19:36:29 +0200 Subject: [Freeipa-users] listing users, groups and the host they access with sudo rules In-Reply-To: <38C784D32FB4354DAED01CCB1BB505351747BBDA@mail01.firstderivatives.com> References: <38C784D32FB4354DAED01CCB1BB505351747BBDA@mail01.firstderivatives.com> Message-ID: <20160725173629.GL12570@hendrix> On Mon, Jul 25, 2016 at 02:13:49PM +0000, Stefan Uygur wrote: > Hi everyone, > I am using ipa-server-3.0.0-47.el6_7.2.x86_64 on my redhat 6 and I was wondering if there is a way in IPA to list the users, with their group and the hosts they can access along with sudo permissions. > > This is for auditing purposes and IPA doesn't seem to have a functionality that would help rather than performing manual commands to collect all this data, which will require quite time. > > So I was wondering if anyone had similar needs and how they overcome to this issue (knowing that IPA doesn't have auditing part covered). Not easy per host, but you can install ldbsearch and then check what sudo rules are fetched by sssd for this host: # yum install ldb-tools # ldbsearch -H /var/lib/sss/db/cache_$domain.ldb -b cn=sysdb objectClass=sudoRule From jhrozek at redhat.com Mon Jul 25 17:42:04 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 25 Jul 2016 19:42:04 +0200 Subject: [Freeipa-users] slow login with freeipa 4.2.0 In-Reply-To: References: Message-ID: <20160725174204.GM12570@hendrix> On Mon, Jul 25, 2016 at 09:23:19PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am facing slow login issue with IPA 4.2.0 version. The login takes around > 18-19s > > date;ssh testuser at 10.16.32.4 > Mon Jul 25 11:14:54 UTC 2016 > testuser at 10.65.32.4's password: > Last login: Mon Jul 25 11:10:35 2016 from 10.65.16.4 > [testuser at ipa-client-1 :~] date > Mon Jul 25 11:15:12 UTC 2016 Are you sure the logs correspond to the login attempt? The stamps you posted are between 11:14:54 and 11:15:12 but the logs below are from a different time period. There is a 10 second period in the sssd logs when seemingly nothing happens. Does the same delay happen if you su from another non-root account (ruling out some DNS issues in SSH or similar) ? From rstory at tislabs.com Mon Jul 25 17:37:20 2016 From: rstory at tislabs.com (Robert Story) Date: Mon, 25 Jul 2016 13:37:20 -0400 Subject: [Freeipa-users] slow login with freeipa 4.2.0 In-Reply-To: References: Message-ID: <20160725133720.0eb553ef@ispx.vb.futz.org> On Mon, 25 Jul 2016 21:23:19 +0530 Rakesh wrote: RR> Hi, RR> RR> I am facing slow login issue with IPA 4.2.0 version. The login takes around RR> 18-19s Any change that it's running on a VM? If so, check your entropy: cat /proc/sys/kernel/random/entropy_avail If it's low (like < 1k), install haveged. Robert -- Senior Software Engineer @ Parsons -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Mon Jul 25 20:29:37 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2016 16:29:37 -0400 Subject: [Freeipa-users] Unable to add CA on an already configured replica In-Reply-To: <312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com> References: <312415248.3085984.1469211457614.JavaMail.yahoo.ref@mail.yahoo.com> <312415248.3085984.1469211457614.JavaMail.yahoo@mail.yahoo.com> Message-ID: <579676B1.2070901@redhat.com> pgb205 wrote: > Current topology: > ipa-srv1<->ipa-srv2 > > ipa-srv1 already has CA installed but *NOT *ipa-srv2. > > The reason I would like to add CA on ipa-srv2 is because I want the > setup to ultimately become > ipa-srv2<->ipa-srv2<->ipa-srv3 > > however I am unable to create gpg replication file on ipa-srv2 (to be > used to establish replication agreement to ipa-srv3) > as I get an error message: /Certificate operation cannot be completed: > Unable to communicate with CMS (Internal Server Error)/ > From what I've found gpg can only be created on replica with CA installed. > > to install CA I tried the following command > /ipa-ca-install --skip-conncheck ./replica-info-ipa-srv2.gpg/ > This errors out at > / [8/21]: starting certificate server instance/ > /ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart > the Dogtag instance.See the installation log for details./ > / [9/21]: importing CA chain to RA certificate database/ > / [error] RuntimeError: Unable to retrieve CA chain: request failed > with HTTP status 500/ > / > systemctl status pki-tomcatd at pki-tomcat.service > / > shows the pki service is running, surprisingly. > > but it's still not listed in ipactl status output > > further attempts to install are halted with error : CA is already > installed on this system and I have to manually delete everything with: > pkidestroy -s CA -i pki-tomcat > 1003 rm -rf /var/log/pki/pki-tomcat > 1004 rm -rf /etc/sysconfig/pki-tomcat > 1005 rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat > 1006 rm -rf /var/lib/pki/pki-tomcat > 1007 rm -rf /etc/pki/pki-tomcat > > > in error logs the one message that stands out is: > 500 internal server error. which repeats multiple times at the end of > log file. Which log file? You probably want to look at the CA debug log. I'm assuming the error is originating in dogtag. > Please suggest on what can be done in this situation. > > PS: regarding pkidestroy and pkiremove commands. What is the difference > or does pkidestroy superceeds pkiremove. > Alexander B suggests pkiremove in one of his older posts and 'yum > whatprovides pkiremove' also suggests that it should be available. Right, pkidestroy replaced pkiremove. There is no uninstaller for the CA currently. I had started one long ago and never finished it. Feel free to open an RFE on it. Note that it is trickier than just removing files. Depending on where it blows up you may need to remove replication agreements too (and entries from cn=masters). rob From rcritten at redhat.com Mon Jul 25 21:34:01 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2016 17:34:01 -0400 Subject: [Freeipa-users] Cannot renew expired certificates in IPA 4.2 In-Reply-To: References: Message-ID: <579685C9.9090105@redhat.com> lm gnid wrote: > Hello, as in the link bellow, your help will be appreciated! > > https://bugzilla.redhat.com/show_bug.cgi?id=1343796 The bug lacks almost all context so I have no idea what you have already done. In any case, the -vvv may be part of the problem, it does not mean verbose. rob From linov.suresh at gmail.com Mon Jul 25 21:40:38 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Mon, 25 Jul 2016 17:40:38 -0400 Subject: [Freeipa-users] Could not find cert: Signing-Cert : File not found Message-ID: We are using CentOS 6.4/FreeIPA 3.0.0 LDAP/Apache certificates were expired and when we tried to renew, we found Signing-Cert is missing. # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not find cert: Signing-Cert : File not found How do we recreate Signing-Cert certificate? We use master-master replica. Please help. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 25 22:08:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2016 18:08:05 -0400 Subject: [Freeipa-users] Could not find cert: Signing-Cert : File not found In-Reply-To: References: Message-ID: <57968DC5.9030308@redhat.com> Linov Suresh wrote: > We are using CentOS 6.4/FreeIPA 3.0.0 > > LDAP/Apache certificates were expired and when we tried to renew, we > found Signing-Cert is missing. > > # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not > find cert: Signing-Cert : File not found > > How do we recreate Signing-Cert certificate? We use master-master > replica. Please help. > > Only the initial master got a signing cert IIRC. It was used to sign the Firefox configuration jar. Are you using this? Recent versions of Firefox don't allow this kind of signed jar anymore and it has been dropped upstream. Are you just trying to be thorough or is this causing some real problem? rob From linov.suresh at gmail.com Mon Jul 25 22:17:32 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Mon, 25 Jul 2016 18:17:32 -0400 Subject: [Freeipa-users] Could not find cert: Signing-Cert : File not found In-Reply-To: <57968DC5.9030308@redhat.com> References: <57968DC5.9030308@redhat.com> Message-ID: We were not sure that Signing-Cert required for LDAP/Apache certificates renewal. Thank you very much for your update Rob. We are going to renew the certificates without Signing-Cert. On Mon, Jul 25, 2016 at 6:08 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> We are using CentOS 6.4/FreeIPA 3.0.0 >> >> LDAP/Apache certificates were expired and when we tried to renew, we >> found Signing-Cert is missing. >> >> # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not >> find cert: Signing-Cert : File not found >> >> How do we recreate Signing-Cert certificate? We use master-master >> replica. Please help. >> >> >> > Only the initial master got a signing cert IIRC. It was used to sign the > Firefox configuration jar. Are you using this? Recent versions of Firefox > don't allow this kind of signed jar anymore and it has been dropped > upstream. > > Are you just trying to be thorough or is this causing some real problem? > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From amessina at messinet.com Mon Jul 25 22:23:31 2016 From: amessina at messinet.com (Anthony Joseph Messina) Date: Mon, 25 Jul 2016 17:23:31 -0500 Subject: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder Message-ID: <3397838.Y5170lQIpI@linux-ws1.messinet.com> After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder" with the following command. I can confirm certificate with serial 0x14 is present in the system and is not expired/revoked, etc. I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output below. # /usr/bin/openssl ocsp \ -issuer /etc/ipa/ca.crt \ -nonce \ -CAfile /etc/ipa/ca.crt \ -url "http://ipa-ca.example.com/ca/ocsp" \ -serial 0x14 # rpm -q freeipa-server pki-server freeipa-server-4.3.1-1.fc24.x86_64 pki-server-10.3.3-1.fc24.noarch # tail -f /var/log/pki/pki-tomcat/ca/debug CMSServlet:service() uri = /ca/ocsp CMSServlet: caOCSP start to service. IP: 10.77.79.198 CMSServlet: no authMgrName CMSServlet: in auditSubjectID CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.77.79.198} CMSServlet auditSubjectID: subjectID: null CMSServlet: in auditGroupID CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.77.79.198} CMSServlet auditGroupID: groupID: null checkACLS(): ACLEntry expressions= ipaddress=".*" evaluating expressions: ipaddress=".*" evaluated expression: ipaddress=".*" to be true DirAclAuthz: authorization passed SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME Servlet Path=/ocsp RequestURI=/ca/ocsp PathInfo=null Method=POST In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 OCSPServlet: Could not locate issuing CA CMSServlet.java: renderTemplate CMSServlet: curDate=Mon Jul 25 17:12:11 CDT 2016 id=caOCSP time=50 -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From prashant at apigee.com Tue Jul 26 03:39:19 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 26 Jul 2016 09:09:19 +0530 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: <5783A97F.5040406@redhat.com> References: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> <5783A97F.5040406@redhat.com> Message-ID: In our FreeIPA deployment the clients use pam_nss_ldapd with the "compat" schema. No ipa-client. I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the replicas (out of 8) where the external app authenticates against IPA's LDAP. These 2 replicas are more used like readonly. The Web UI where the users login and change their profile is not on these replicas. With this LDAP binds are denied to users with expired passwords from the external app. Will this setup have any issues, related to replication etc ? On 11 July 2016 at 19:43, Rob Crittenden wrote: > Prashant Bapat wrote: > >> I cherrypicked the commit id 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 >> and compiled the ipa-pwd-extop slapi plugin. >> >> Now the user is denied bind. But unable to reset the password. >> > > Right, it's a tricky problem which is why it hasn't been resolved yet. You > have come full circle through the same steps we went through. > > rob > > >> >> On 8 July 2016 at 13:21, Martin Kosek > > wrote: >> >> On 07/07/2016 05:19 PM, Prashant Bapat wrote: >> > Anyone ?! >> > >> > On 6 July 2016 at 22:36, Prashant Bapat > >> > >> wrote: >> > >> > Hi, >> > >> > We are using FreeIPA's LDAP as the base for user authentication >> in a >> > different application. So far I have created a sysaccount which >> does the >> > lookup etc for a user and things are working as expected. I'm >> even able to >> > use OTP from the external app. >> > >> > One problem I'm struggling to fix is the expired passwords. Is >> there a way >> > to deny bind to LDAP only from this application? Obviously the >> user would >> > need to go to IPA's web UI and reset his password there. >> > >> > I came across this tickethttps:// >> fedorahosted.org/freeipa/ticket/1539 but >> > looks like this is an old one. >> > >> > Thanks. >> > --Prashant >> >> Hello Prashant, >> >> https://fedorahosted.org/freeipa/ticket/1539 seems to be the right >> ticket, if >> you want users with expired passwords to be denied, but it was not >> implemented >> yet. Help welcome! >> >> As a workaround, I assume you could simply leverage Kerberos for >> authentication >> - it does respect expired passwords. We have advise on how to >> integrate that to >> external web applications here: >> >> http://www.freeipa.org/page/Web_App_Authentication >> >> Martin >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Jul 26 03:45:20 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 26 Jul 2016 13:45:20 +1000 Subject: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder In-Reply-To: <3397838.Y5170lQIpI@linux-ws1.messinet.com> References: <3397838.Y5170lQIpI@linux-ws1.messinet.com> Message-ID: <20160726034519.GM10771@dhcp-40-8.bne.redhat.com> On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder" > with the following command. I can confirm certificate with serial 0x14 is > present in the system and is not expired/revoked, etc. I'm a bit nervous > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output > below. > > # /usr/bin/openssl ocsp \ > -issuer /etc/ipa/ca.crt \ > -nonce \ > -CAfile /etc/ipa/ca.crt \ > -url "http://ipa-ca.example.com/ca/ocsp" \ > -serial 0x14 > > # rpm -q freeipa-server pki-server > freeipa-server-4.3.1-1.fc24.x86_64 > pki-server-10.3.3-1.fc24.noarch > Hi Anthony, I wrote this code and I think I know what the issue is. Could you please execute `pki-server db-upgrade -v` as root, then try the OCSP request again? If it works, happy day for you, and for me too because it confirms the issue which I must fix :) Thanks, Fraser From ftweedal at redhat.com Tue Jul 26 04:40:38 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 26 Jul 2016 14:40:38 +1000 Subject: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder In-Reply-To: <20160726034519.GM10771@dhcp-40-8.bne.redhat.com> References: <3397838.Y5170lQIpI@linux-ws1.messinet.com> <20160726034519.GM10771@dhcp-40-8.bne.redhat.com> Message-ID: <20160726044038.GN10771@dhcp-40-8.bne.redhat.com> On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder" > > with the following command. I can confirm certificate with serial 0x14 is > > present in the system and is not expired/revoked, etc. I'm a bit nervous > > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output > > below. > > > > # /usr/bin/openssl ocsp \ > > -issuer /etc/ipa/ca.crt \ > > -nonce \ > > -CAfile /etc/ipa/ca.crt \ > > -url "http://ipa-ca.example.com/ca/ocsp" \ > > -serial 0x14 > > > > # rpm -q freeipa-server pki-server > > freeipa-server-4.3.1-1.fc24.x86_64 > > pki-server-10.3.3-1.fc24.noarch > > > Hi Anthony, > > I wrote this code and I think I know what the issue is. Could you > please execute `pki-server db-upgrade -v` as root, then try the OCSP > request again? > > If it works, happy day for you, and for me too because it confirms > the issue which I must fix :) > On further investigation, what I thought was the problem cannot be the problem. No need to follow my earlier suggestion. But I found (and fixed) something else. Would you be willing to try my COPR build[1]? It contains the linked patch[2] plus whatever is between your installed pki version and the Dogtag master branch at a307cf68e91327ddbef4b9d7e2bbd3991354831f. [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/ [2] https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-CA-OCSP-responder-when-LWCAs-are-not-in-use.patch Alternatively, you can apply the patch and build Dogtag yourself (if, e.g., you do not trust my COPR packages, which is fair enough ^_^) Thanks, Fraser From malo at avast.com Tue Jul 26 08:10:18 2016 From: malo at avast.com (malo) Date: Tue, 26 Jul 2016 10:10:18 +0200 Subject: [Freeipa-users] AD Sync and groups Message-ID: <57971AEA.3020302@avast.com> Hello, I am currently setting up an architecture involving FreeIPA to provide SSO for SSH to the servers. I have several servers (~1500) in a few datacenters all over the world (North America, South America, Europe, Asia). The idea here was to have 4 masters/replicas per datacenter, with one master/replica involved in a winsync replication process with our AD. Thus, we would not suffer network outages, slow downs or timeouts because each FreeIPA server would have a closer database of users instead of querying a long distance AD. I've managed to setup successfully the winsync replication (after having trouble with replication rights). I then turned on group replication : ldapmodify -x -D "cn=directory manager" -w PASS dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds7NewWinGroupSyncEnabled nsds7NewWinGroupSyncEnabled: true I re-initialized the replication but I have no groups. I did a little digging and came on this : https://bugzilla.redhat.com/show_bug.cgi?id=1002414 Very unfortunate for me but a few things bother me. It says "reenable" in the RFE and I also found this documentation : https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html It clearly specifies how to sync groups, which I enabled, but nothings happen for me. So, my questions would be : - Is winsync group sync still enabled ? - If not, why and when has it been disabled ? - Is there anyway I could reenable it, by digging into the code ? Group sync seems a really MUST HAVE as a feature for the winsync, since flat hierarchy is not really useful, imho. I can't consider an AD Trust architecture, It would be too dangerous since the network connectivity of the AD is not safe enough, I could not risk to block SSH access on my servers because of network lag. Has anyone been in a similar situation ? Do you have implemented AD trust or winsync replication in such a large scale ? Thank your for reading me, Have a nice day, Nathan MALO From abokovoy at redhat.com Tue Jul 26 08:30:46 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Jul 2016 11:30:46 +0300 Subject: [Freeipa-users] AD Sync and groups In-Reply-To: <57971AEA.3020302@avast.com> References: <57971AEA.3020302@avast.com> Message-ID: <20160726083046.h6hqgyidmrjylipy@redhat.com> On Tue, 26 Jul 2016, malo wrote: >Hello, > >I am currently setting up an architecture involving FreeIPA to provide >SSO for SSH to the servers. >I have several servers (~1500) in a few datacenters all over the world >(North America, South America, Europe, Asia). >The idea here was to have 4 masters/replicas per datacenter, with one >master/replica involved in a winsync replication process with our AD. >Thus, we would not suffer network outages, slow downs or timeouts >because each FreeIPA server would have a closer database of users >instead of querying a long distance AD. > >I've managed to setup successfully the winsync replication (after >having trouble with replication rights). I then turned on group >replication : > >ldapmodify -x -D "cn=directory manager" -w PASS > >dn: cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping >tree,cn=config >changetype: modify >replace: nsds7NewWinGroupSyncEnabled >nsds7NewWinGroupSyncEnabled: true > > >I re-initialized the replication but I have no groups. >I did a little digging and came on this : >https://bugzilla.redhat.com/show_bug.cgi?id=1002414 >Very unfortunate for me but a few things bother me. > >It says "reenable" in the RFE and I also found this documentation : https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html There is a difference between 389-ds winsync and FreeIPA winsync. The latter is a simplified version that doesn't see development anymore and is not supporting group sync because groups on IPA side are sufficiently different from AD groups while generic 389-ds winsync plugin is not tuned to IPA DIT. >It clearly specifies how to sync groups, which I enabled, but nothings >happen for me. >So, my questions would be : >- Is winsync group sync still enabled ? >- If not, why and when has it been disabled ? >- Is there anyway I could reenable it, by digging into the code ? > >Group sync seems a really MUST HAVE as a feature for the winsync, >since flat hierarchy is not really useful, imho. IPA uses flat hierarchy and has no support for non-flat DIT. >I can't consider an AD Trust architecture, It would be too dangerous >since the network connectivity of the AD is not safe enough, I could >not risk to block SSH access on my servers because of network lag. > >Has anyone been in a similar situation ? Do you have implemented AD >trust or winsync replication in such a large scale ? I cannot tell about actual deployments but there are plenty deployments with trust to AD in multiple data centers. If you need, with FreeIPA 4.0+ you can actually proxy Kerberos authentication via IPA servers to AD DCs and also can do offline authentication in SSSD. -- / Alexander Bokovoy From amessina at messinet.com Tue Jul 26 10:16:34 2016 From: amessina at messinet.com (Anthony Joseph Messina) Date: Tue, 26 Jul 2016 05:16:34 -0500 Subject: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder In-Reply-To: <20160726044038.GN10771@dhcp-40-8.bne.redhat.com> References: <3397838.Y5170lQIpI@linux-ws1.messinet.com> <20160726034519.GM10771@dhcp-40-8.bne.redhat.com> <20160726044038.GN10771@dhcp-40-8.bne.redhat.com> Message-ID: <2142044.BEM9oH7mMN@linux-ws1.messinet.com> On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote: > On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > > responder" with the following command. I can confirm certificate with > > > serial 0x14 is present in the system and is not expired/revoked, etc. > > > I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" > > > in the Dogtag output below. > > > > > > # /usr/bin/openssl ocsp \ > > > > > > -issuer /etc/ipa/ca.crt \ > > > -nonce \ > > > -CAfile /etc/ipa/ca.crt \ > > > -url "http://ipa-ca.example.com/ca/ocsp" \ > > > -serial 0x14 > > > > > > # rpm -q freeipa-server pki-server > > > freeipa-server-4.3.1-1.fc24.x86_64 > > > pki-server-10.3.3-1.fc24.noarch > > > > Hi Anthony, > > > > I wrote this code and I think I know what the issue is. Could you > > please execute `pki-server db-upgrade -v` as root, then try the OCSP > > request again? > > > > If it works, happy day for you, and for me too because it confirms > > the issue which I must fix :) > > On further investigation, what I thought was the problem cannot be > the problem. No need to follow my earlier suggestion. > > But I found (and fixed) something else. Would you be willing to try > my COPR build[1]? It contains the linked patch[2] plus whatever is > between your installed pki version and the Dogtag master branch at > a307cf68e91327ddbef4b9d7e2bbd3991354831f. > > [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/ > [2] > https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-C > A-OCSP-responder-when-LWCAs-are-not-in-use.patch > > Alternatively, you can apply the patch and build Dogtag yourself > (if, e.g., you do not trust my COPR packages, which is fair enough > ^_^) Your COPR repo with this patch fixes the OCSP responder issue. Thank you Fraser. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From suygur at firstderivatives.com Tue Jul 26 10:18:00 2016 From: suygur at firstderivatives.com (Stefan Uygur) Date: Tue, 26 Jul 2016 10:18:00 +0000 Subject: [Freeipa-users] who did what on IPAv3 - auditing Message-ID: <38C784D32FB4354DAED01CCB1BB505351747C1F1@mail01.firstderivatives.com> Hi all, Still around the auditing problem with IPA, it seems the part related to auditing is completely missing in IPA and that is not really good. For instance, to find out who did what, who added or modified the permissions or users or sudo rules, etc, all this need auditing and it needs to be proof of concept. I don't see IPA being very friendly with auditing part, although IPA is a central identity management system, which means auditing is all over IPA. I am surprised that this part is missing. There is a page suggests to set up central login: http://www.freeipa.org/page/Centralized_Logging With a combination of multiple logs, but I have checked accurately the logs, I still can't find out say, who added user John Doe in date 21 July 2016 at 11.35. Has anybody in the list experienced or set up such solution where the IPA server activity is tracked down? Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: From suygur at firstderivatives.com Tue Jul 26 10:45:10 2016 From: suygur at firstderivatives.com (Stefan Uygur) Date: Tue, 26 Jul 2016 10:45:10 +0000 Subject: [Freeipa-users] who did what on IPAv3 - auditing Message-ID: <38C784D32FB4354DAED01CCB1BB505351747C25F@mail01.firstderivatives.com> This is the case I am after just to be more precise: https://access.redhat.com/solutions/441893 It was requested 3yrs ago but no follow up so far. From: Stefan Uygur Sent: 26 July 2016 11:18 To: freeipa-users at redhat.com Subject: who did what on IPAv3 - auditing Hi all, Still around the auditing problem with IPA, it seems the part related to auditing is completely missing in IPA and that is not really good. For instance, to find out who did what, who added or modified the permissions or users or sudo rules, etc, all this need auditing and it needs to be proof of concept. I don't see IPA being very friendly with auditing part, although IPA is a central identity management system, which means auditing is all over IPA. I am surprised that this part is missing. There is a page suggests to set up central login: http://www.freeipa.org/page/Centralized_Logging With a combination of multiple logs, but I have checked accurately the logs, I still can't find out say, who added user John Doe in date 21 July 2016 at 11.35. Has anybody in the list experienced or set up such solution where the IPA server activity is tracked down? Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Jul 26 11:45:52 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 26 Jul 2016 17:15:52 +0530 Subject: [Freeipa-users] who did what on IPAv3 - auditing In-Reply-To: <38C784D32FB4354DAED01CCB1BB505351747C25F@mail01.firstderivatives.com> References: <38C784D32FB4354DAED01CCB1BB505351747C25F@mail01.firstderivatives.com> Message-ID: What we have done this as follows. 1. For all the changes, happening thru IPA APIs (either cmd line of WebUI) you can capture these in the httpd error logs. We trigger alert emails on important events such as new user addition etc. 2. For everything including the above, you can always enable the 389 ds ldap audit logs. Refer to this link . Both these logs are sent to a central logging system for storage and retrieval. On 26 July 2016 at 16:15, Stefan Uygur wrote: > This is the case I am after just to be more precise: > > https://access.redhat.com/solutions/441893 > > > > It was requested 3yrs ago but no follow up so far. > > > > *From:* Stefan Uygur > *Sent:* 26 July 2016 11:18 > *To:* freeipa-users at redhat.com > *Subject:* who did what on IPAv3 - auditing > > > > Hi all, > > Still around the auditing problem with IPA, it seems the part related to > auditing is completely missing in IPA and that is not really good. > > > > For instance, to find out who did what, who added or modified the > permissions or users or sudo rules, etc, all this need auditing and it > needs to be proof of concept. > > > > I don?t see IPA being very friendly with auditing part, although IPA is a > central identity management system, which means auditing is all over IPA. I > am surprised that this part is missing. > > > > There is a page suggests to set up central login: > http://www.freeipa.org/page/Centralized_Logging > > > > With a combination of multiple logs, but I have checked accurately the > logs, I still can?t find out say, who added user John Doe in date 21 July > 2016 at 11.35. > > > > Has anybody in the list experienced or set up such solution where the IPA > server activity is tracked down? > > > > Stefan > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ezajko at root.ba Tue Jul 26 11:51:07 2016 From: ezajko at root.ba (Ernedin Zajko) Date: Tue, 26 Jul 2016 13:51:07 +0200 Subject: [Freeipa-users] who did what on IPAv3 - auditing In-Reply-To: <38C784D32FB4354DAED01CCB1BB505351747C25F@mail01.firstderivatives.com> References: <38C784D32FB4354DAED01CCB1BB505351747C25F@mail01.firstderivatives.com> Message-ID: Hi Stefan, have you seen this: https://access.redhat.com/solutions/772563 regards, --- Ernedin ZAJKO ezajko at root.ba > 340282366920938463463374607431768211456 On Tue, Jul 26, 2016 at 12:45 PM, Stefan Uygur wrote: > This is the case I am after just to be more precise: > > https://access.redhat.com/solutions/441893 > > > > It was requested 3yrs ago but no follow up so far. > > > > From: Stefan Uygur > Sent: 26 July 2016 11:18 > To: freeipa-users at redhat.com > Subject: who did what on IPAv3 - auditing > > > > Hi all, > > Still around the auditing problem with IPA, it seems the part related to > auditing is completely missing in IPA and that is not really good. > > > > For instance, to find out who did what, who added or modified the > permissions or users or sudo rules, etc, all this need auditing and it needs > to be proof of concept. > > > > I don?t see IPA being very friendly with auditing part, although IPA is a > central identity management system, which means auditing is all over IPA. I > am surprised that this part is missing. > > > > There is a page suggests to set up central login: > http://www.freeipa.org/page/Centralized_Logging > > > > With a combination of multiple logs, but I have checked accurately the logs, > I still can?t find out say, who added user John Doe in date 21 July 2016 at > 11.35. > > > > Has anybody in the list experienced or set up such solution where the IPA > server activity is tracked down? > > > > Stefan > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From rakesh.rajasekharan at gmail.com Tue Jul 26 12:37:10 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 26 Jul 2016 18:07:10 +0530 Subject: [Freeipa-users] slow login with freeipa 4.2.0 In-Reply-To: <20160725174204.GM12570@hendrix> References: <20160725174204.GM12570@hendrix> Message-ID: > Any change that it's running on a VM? If so, check your entropy: > cat /proc/sys/kernel/random/entropy_avail > If it's low (like < 1k), install haveged. this indeed is vm , am running it on azure . However, I have a similar set up running on aws which works completely fine The entropy was low, around 180, I installed haveged and now its above 3k cat /proc/sys/kernel/random/entropy_avail 3178 The timing though is still the same around 19s @jakub, i am reattaching the logs. The dns resoltion seems fast when I check using dig below is my sssd.conf [domain/xyz.com] selinux_provider=none krb5_auth_timeout = 20 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xyz.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = 10.65.16.4 chpass_provider = ipa ipa_server = ipa-master-in.xyz.com dns_discovery_domain = xyz.com ignore_group_members=True ldap_purge_cache_timeout = 0 debug_level=8 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xyz.com [nss] homedir_substring = /home [pam] pam_id_timeout = 3 [sudo] [autofs] [ssh] [pac] [ifp] And here is the login times and logs [root at ipa-client-1 :~] date;ssh testuser at localhost Tue Jul 26 12:06:37 UTC 2016 testuser at localhost's password: Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1 [testuser at ipa-client-1 :~] date Tue Jul 26 12:06:55 UTC 2016 sssd_domain logs (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 85 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 85 timeout 6 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d010af10], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d010af10], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 85 finished (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Save user (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Processing user testuser (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): Adding originalDN [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com] to attributes of [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160726120558Z] to attributes of [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding user principal [testuser at xyz.COM] to attributes of [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20160511120919Z] to attributes of [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20160809120919Z] to attributes of [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [testuser]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Storing info for user testuser (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userCertificate] from [testuser] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 86 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 86 timeout 6 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 86 finished (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 87 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 87 timeout 6 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 87 finished (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 88 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 88 timeout 6 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 88 finished (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com, returned 0 results. Skipping (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 89 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 89 timeout 6 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 89 finished (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com,cn=sysdb))] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spradmins,cn=groups,cn=xyz.com ,cn=sysdb))] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spradmins is a member of 0 sysdb groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spradmins is a direct member of 0 LDAP groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spr-itops (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spr-itops,cn=groups,cn=xyz.com ,cn=sysdb))] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spr-itops is a member of 0 sysdb groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spr-itops is a direct member of 0 LDAP groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x1000): The user testuser is a direct member of 3 LDAP groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=testuser,cn=users,cn=xyz.com,cn=sysdb))] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): testuser is a member of 3 sysdb groups (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for testuser (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=xyz,dc=com] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=703)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 90 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 90 timeout 6 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d11378f0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 90 finished (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Processing group spradmins (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x2000): This is a posix group (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of [spradmins]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160722213052Z] to attributes of [spradmins]. (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Storing info for group spradmins (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Processing group spradmins (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): No members for group [spradmins] (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_nested_done] (0x2000): No external members, done(Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] (0x2000): 0x7f88d0100830 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[(nil)], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] (0x2000): 0x7f88d0100830 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 42266 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [testuser] is empty, running request [0x7f88d1142ab0] immediately. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-in.xyz.com' is 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa-master-in.xyz.com' is 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-in.xyz.com' is 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-master-in.xyz.com: [10.65.16.4] TTL 127 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipa-master-in.xyz.com' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [42276] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [42276] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [42276]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [42276] finished successfully. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa-master-in.xyz.com' as 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'ipa-master-in.xyz.com' as 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ipa-master-in.xyz.com' as 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [check_wait_queue] (0x1000): Wait queue for user [testuser] is empty. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f88d1142ab0] done. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][xyz.com] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][xyz.com] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 42266 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [testuser] is empty, running request [0x7f88d1142ab0] immediately. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-in.xyz.com' is 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa-master-in.xyz.com' is 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-in.xyz.com' is 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-master-in.xyz.com: [10.65.16.4] TTL 127 (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipa-master-in.xyz.com' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [42277] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [42277] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [42277]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [42277] finished successfully. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][35]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][28]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1469534801][1469534801][1469621201][0]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa-master-in.xyz.com' as 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [set_server_common_status] (0x0100): Marking server 'ipa-master-in.xyz.com' as 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ipa-master-in.xyz.com' as 'working' (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [check_wait_queue] (0x1000): Wait queue for user [testuser] is empty. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f88d1142ab0] done. (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][xyz.com] (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][xyz.com] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 42266 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_access_send] (0x0400): Performing access check for user [testuser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [testuser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=10.65.32.4))][cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 91 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 91 timeout 60 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 91 finished (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com] using OpenLDAP deref (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 92 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 92 timeout 60 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 92 finished (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=xyz,dc=com][2][(objectClass=ipaHBACService)] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 93 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 93 timeout 60 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 93 finished (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=xyz,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 94 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 94 timeout 60 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 94 finished (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=xyz,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com)))] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=10.65.32.4,cn=computers,cn=accounts,dc=xyz,dc=com)))][cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 95 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 95 timeout 60 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=7f4abeae-176f-11e6-9090-000d3a01891b,cn=hbac,dc=xyz,dc=com]. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serviceCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [hostCategory] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d01117e0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 95 finished (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [allow_all] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [allow_all] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [allow_all] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [allow_all] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): [4] groups for [testuser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): Added group [ipausers] for user [testuser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): Added group [spradmins] for user [testuser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [hbac_eval_user_element] (0x1000): Added group [spr-itops] for user [testuser] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success (Success)] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][xyz.com] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][xyz.com] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[(nil)], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 42266 (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Sending result [0][xyz.com] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 96 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 96 timeout 6 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d010af10], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d010af10], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 96 finished (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Save user (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Processing user testuser (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): Adding originalDN [uid=testuser,cn=users,cn=accounts,dc=xyz,dc=com] to attributes of [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160726120640Z] to attributes of [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding user principal [testuser at xyz.COM] to attributes of [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20160511120919Z] to attributes of [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20160809120919Z] to attributes of [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [testuser]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Storing info for user testuser (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userCertificate] from [testuser] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object testuser (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 97 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 97 timeout 6 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 97 finished (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 98 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 98 timeout 6 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 98 finished (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 99 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 99 timeout 6 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 99 finished (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipaUniqueID=f990b3fc-1770-11e6-b561-000d3a01891b,cn=sudorules,cn=sudo,dc=xyz,dc=com, returned 0 results. Skipping (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 100 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 100 timeout 6 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spr-itops,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 100 finished (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com,cn=sysdb))] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spradmins,cn=groups,cn=xyz.com ,cn=sysdb))] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spradmins is a member of 0 sysdb groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spradmins is a direct member of 0 LDAP groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spr-itops (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=spr-itops,cn=groups,cn=xyz.com ,cn=sysdb))] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): spr-itops is a member of 0 sysdb groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group spr-itops is a direct member of 0 LDAP groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x1000): The user testuser is a direct member of 3 LDAP groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=testuser,cn=users,cn=xyz.com,cn=sysdb))] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): testuser is a member of 3 sysdb groups (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for testuser (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=xyz,dc=com] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.65.16.4 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=703)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 101 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_add] (0x2000): New operation 101 timeout 6 (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[0x7f88d115e2d0], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_op_destructor] (0x2000): Operation 101 finished (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Processing group spradmins (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x2000): This is a posix group (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=spradmins,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of [spradmins]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160722213052Z] to attributes of [spradmins]. (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Storing info for group spradmins (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object spradmins (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Processing group spradmins (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): No members for group [spradmins] (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_nested_done] (0x2000): No external members, done(Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] (0x2000): 0x7f88d1178b40 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f88d012a0e0], connected[1], ops[(nil)], ldap[0x7f88d00f9950] (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] (0x2000): 0x7f88d1178b40 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 42266 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Sending result [0][xyz.com] (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: testuser (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 0 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 42304 (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Sending result [0][xyz.com] Thanks, Rakesh On Mon, Jul 25, 2016 at 11:12 PM, Jakub Hrozek wrote: > On Mon, Jul 25, 2016 at 09:23:19PM +0530, Rakesh Rajasekharan wrote: > > Hi, > > > > I am facing slow login issue with IPA 4.2.0 version. The login takes > around > > 18-19s > > > > date;ssh testuser at 10.16.32.4 > > Mon Jul 25 11:14:54 UTC 2016 > > testuser at 10.65.32.4's password: > > Last login: Mon Jul 25 11:10:35 2016 from 10.65.16.4 > > [testuser at ipa-client-1 :~] date > > Mon Jul 25 11:15:12 UTC 2016 > > Are you sure the logs correspond to the login attempt? The stamps you > posted are between 11:14:54 and 11:15:12 but the logs below are from a > different time period. > > There is a 10 second period in the sssd logs when seemingly nothing > happens. > > Does the same delay happen if you su from another non-root account > (ruling out some DNS issues in SSH or similar) ? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Tue Jul 26 12:47:16 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Tue, 26 Jul 2016 08:47:16 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578E3E45.1040904@redhat.com> <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> <579269D8.6040601@redhat.com> Message-ID: Removed the duplicate certificates and and tried to renew the certificates, we were able to renew the certificates and "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true "*." gone this time. Thanks for your help. We have a master replica also, *how do we renew the replica server*? On Fri, Jul 22, 2016 at 3:36 PM, Linov Suresh wrote: > Thank you very much Rob. > Let me remove the duplicate certificates and try to renew the certificates > again to see if "*ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > "*." > goes away? > > > On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden > wrote: > >> Linov Suresh wrote: >> >>> Could you please verify, if we have set correct trust attributes on the >>> certificates >>> >>> *root at caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> subsystemCert cert-pki-ca u,u,Pu >>> ocspSigningCert cert-pki-ca u,u,u >>> caSigningCert cert-pki-ca CTu,Cu,Cu >>> subsystemCert cert-pki-ca u,u,Pu >>> Server-Cert cert-pki-ca u,u,u >>> auditSigningCert cert-pki-ca u,u,Pu >>> * >>> * >>> *[root at caer ~]# certutil -d /etc/httpd/alias/ -L* >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> ipaCert u,u,u >>> Server-Cert u,u,u >>> TELOIP.NET IPA CA >>> CT,C,C >>> ipaCert u,u,u >>> Signing-Cert u,u,u >>> Server-Cert u,u,u >>> >>> *[root at caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L* >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> Server-Cert u,u,u >>> TELOIP.NET IPA CA >>> CT,,C >>> Server-Cert u,u,u >>> [root at caer ~]# >>> >>> *Please note, there are duplicate certificates in CA, HTTP and LDAP >>> directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was >>> wondering if we need to remove these duplicate certificates? * >>> >> >> Yeah you should remove the duplicate certs, they seem to cause problems >> with dogtag at least (certmonger _should_ handle this automatically, we'll >> be looking into it soonish). >> >> To remove the duplicate cert: >> >> 1. Shutdown the service >> 2. Back up the NSS database >> 3. certutil -L -d /path/to/db -n -a > somefile >> 4. split somefile into separate files so each file as a BEGIN/END >> certificate >> 5. openssl x509 -text -in -infile somefile1..n >> 6. Pick the one with the most recent issuance date >> 7. You backed up the NSS database, right? >> 8. certutil -D -d /path/to/db -n >> 9. certutil -A -d /path/to/db -n -t u,u,u -a -i somefilex >> 10. Start the service, watch logs for errors >> >> For the trust use whatever the original trust value was. >> >> You don't need the P trust flag on the subsystemCert in the CA, only the >> auditSigningCert. >> >> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to >> deal with this automatically, picking the "most correct" cert to use based >> on the validity period. >> >> rob >> >> >>> >>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh >> > wrote: >>> >>> I'm facing another issue now, my kerberos tickets are not renewing, >>> >>> *[root at caer ~]# ipa cert-show 1* >>> ipa: ERROR: Ticket expired >>> >>> *[root at caer ~]# klist* >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at TELOIP.NET >>> >>> Valid starting Expires Service principal >>> 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET >>> >>> 07/20/16 14:42:36 07/21/16 14:42:22 >>> HTTP/caer.teloip.net at TELOIP.NET >> > >>> 07/21/16 11:40:15 07/21/16 14:42:22 >>> ldap/caer.teloip.net at TELOIP.NET >> > >>> >>> I need to manually renew the tickets every day, >>> >>> *[root at caer ~]# kinit admin* >>> Password for admin at TELOIP.NET : >>> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 >>> 2016 >>> >>> *[root at caer ~]# klist * >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at TELOIP.NET >>> >>> Valid starting Expires Service principal >>> 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET >>> >>> >>> >>> On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden >>> > wrote: >>> >>> Linov Suresh wrote: >>> >>> The httpd_error log doesn't contain the part where `ipa >>> cert-show 1` was >>> run. If it is from the same time. >>> >>> *I am not sure about that, please see httpd_error when `ipa >>> cert-show 1` >>> was run* >>> >>> >>> The IPA API log isn't going to show much in this case. >>> >>> Requests to the CA are proxied through IPA. The CA WAR is not >>> running on tomcat so when Apache tries to proxy the request >>> tomcat returns a 404, Not Found. >>> >>> You need to start with the dogtag debug and selftest logs to see >>> what is going on. The logs are pretty verbose and can be >>> challenging to read. >>> >>> rob >>> >>> >>> [root at caer ~]# *tail -f /var/log/httpd/error_log* >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> wsgi_dispatch.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> xmlserver_session.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session >>> cookie_id = >>> bc2c7ed0eccd840dc266efaf9ece913c >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session >>> data in >>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> xmlserver_session.__call__: >>> session_id=bc2c7ed0eccd840dc266efaf9ece913c >>> start_timestamp=2016-07-21T11:58:54 >>> access_timestamp=2016-07-21T12:01:21 >>> expiration_timestamp=2016-07-21T12:18:54 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing >>> ccache data into >>> file "/var/run/ipa_memcached/krbcc_13554" >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> get_credential_times: >>> principal=HTTP/caer.teloip.net at TELOIP.NET >>> >>> >> >, authtime=07/21/16 >>> 10:31:46, >>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >>> renew_till=12/31/69 19:00:00 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> get_credential_times: >>> principal=HTTP/caer.teloip.net at TELOIP.NET >>> >>> >> >, authtime=07/21/16 >>> 10:31:46, >>> >>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, >>> renew_till=12/31/69 19:00:00 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache >>> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 >>> (07/22/16 >>> 10:31:44) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> set_session_expiration_time: duration_type=inactivity_timeout >>> duration=1200 max_age=1469197604 expiration=1469118081.77 >>> (2016-07-21T12:21:21) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> xmlserver.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created >>> connection >>> context.ldap2 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI >>> WSGIExecutioner.__call__: >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: >>> cert_show(u'1') >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> cert_show(u'1') >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual >>> verify >>> retrieve certificate >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> ipaserver.plugins.dogtag.ra.get_certificate() >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request >>> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request >>> post >>> 'xml=true&serialNumber=1' >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection >>> init >>> caer.teloip.net >>> >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: >>> 10.20.0.75:0 >>> >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> auth_certificate_callback: check_sig=True is_server=False >>> *.* >>> *.* >>> *.* >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> approved_usage = >>> SSLServer intended_usage = SSLServer >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid >>> True for >>> "CN=caer.teloip.net >>> ,O=TELOIP.NET >>> " >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake >>> complete, peer >>> = 10.20.0.75:443 < >>> http://10.20.0.75:443> >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> auth_certificate_callback: check_sig=True is_server=False >>> *.* >>> *.* >>> *.* >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: >>> approved_usage = >>> SSLServer intended_usage = SSLServer >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid >>> True for >>> "CN=caer.teloip.net >>> ,O=TELOIP.NET >>> " >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake >>> complete, peer >>> = 10.20.0.75:443 < >>> http://10.20.0.75:443> >>> [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: >>> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to >>> communicate >>> with CMS (Not Found) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: >>> admin at TELOIP.NET >>> >: >>> cert_show(u'1'): CertificateOperationError >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response: >>> CertificateOperationError: Certificate operation cannot be >>> completed: >>> Unable to communicate with CMS (Not Found) >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed >>> connection >>> context.ldap2 >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading >>> ccache data from >>> file "/var/run/ipa_memcached/krbcc_13554" >>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session: >>> session_id=bc2c7ed0eccd840dc266efaf9ece913c >>> start_timestamp=2016-07-21T11:58:54 >>> access_timestamp=2016-07-21T12:01:21 >>> expiration_timestamp=2016-07-21T12:21:21 >>> >>> >>> Does `ipa cert-show` communicate with the same replica? >>> Could be >>> verified by `ipa -vv cert-show` >>> >>> *It's asking for the serial number of the certificate. If I >>> give 64 >>> (serial number of ipaCert ), I get ipa: ERROR: Certificate >>> operation >>> cannot be completed: Unable to communicate with CMS (Not >>> Found)* >>> >>> *[root at caer ~]# ipa -vv cert-show* >>> ipa: DEBUG: importing all plugin modules in >>> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >>> *.* >>> *.* >>> *.* >>> ipa: DEBUG: >>> stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, >>> 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: found session_cookie in persistent storage for >>> principal >>> 'admin at TELOIP.NET >>> >', >>> cookie: >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, 21 Jul >>> 2016 16:25:32 >>> GMT; Secure; HttpOnly' >>> ipa: DEBUG: setting session_cookie into context >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' >>> ipa: INFO: trying https://caer.teloip.net/ipa/session/xml >>> ipa: DEBUG: Created connection context.xmlclient >>> Serial number: 64 >>> ipa: DEBUG: raw: cert_show(u'64') >>> ipa: DEBUG: cert_show(u'64') >>> ipa: INFO: Forwarding 'cert_show' to server >>> u'https://caer.teloip.net/ipa/session/xml' >>> ipa: DEBUG: NSSConnection init caer.teloip.net >>> >>> ipa: DEBUG: Connecting: 10.20.0.75:0 >>> >>> send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: >>> caer.teloip.net >>> \r\nAccept-Language: >>> en-us\r\nReferer: >>> https://caer.teloip.net/ipa/xml\r\nCookie >>> : >>> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: >>> xmlrpclib.py/1.0.1 >>> (by www.pythonware.com >>> >>> )\r\nContent-Type: >>> text/xml\r\nContent-Length: 268\r\n\r\n' >>> ipa: DEBUG: auth_certificate_callback: check_sig=True >>> is_server=False >>> *.* >>> *.* >>> *.* >>> ipa: DEBUG: approved_usage = SSLServer intended_usage = >>> SSLServer >>> ipa: DEBUG: cert valid True for "CN=caer.teloip.net >>> >>> ,O=TELOIP.NET >>> " >>> ipa: DEBUG: handshake complete, peer = 10.20.0.75:443 >>> >>> >>> send: ">> >>> encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" >>> reply: 'HTTP/1.1 200 Success\r\n' >>> header: Date: Thu, 21 Jul 2016 16:05:40 GMT >>> header: Server: Apache/2.2.15 (CentOS) >>> header: Set-Cookie: >>> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, >>> 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly >>> header: Connection: close >>> header: Content-Type: text/xml; charset=utf-8 >>> ipa: DEBUG: received Set-Cookie >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, 21 Jul >>> 2016 16:25:40 >>> GMT; Secure; HttpOnly' >>> ipa: DEBUG: storing cookie >>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; >>> Domain=caer.teloip.net >>> ; Path=/ipa; Expires=Thu, 21 Jul >>> 2016 16:25:40 >>> GMT; Secure; HttpOnly' for principal admin at TELOIP.NET >>> >>> > >>> ipa: DEBUG: args=keyctl search @s user >>> ipa_session_cookie:admin at TELOIP.NET >>> >>> >> > >>> ipa: DEBUG: stdout=457971704 >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: args=keyctl search @s user >>> ipa_session_cookie:admin at TELOIP.NET >>> >>> >> > >>> ipa: DEBUG: stdout=457971704 >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: args=keyctl pupdate 457971704 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> body: ">> >>> encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate >>> operation cannot be completed: Unable to communicate with >>> CMS (Not >>> >>> Found)\n\n\n\n\n" >>> ipa: DEBUG: Caught fault 4301 from server >>> https://caer.teloip.net/ipa/session/xml: Certificate >>> operation cannot be >>> completed: Unable to communicate with CMS (Not Found) >>> ipa: DEBUG: Destroyed connection context.xmlclient >>> ipa: ERROR: Certificate operation cannot be completed: >>> Unable to >>> communicate with CMS (Not Found) >>> [root at caer ~]# >>> >>> >>> But more interesting is: SelfTestSubsystem: The CRITICAL >>> self test >>> plugin called >>> selftests.container.instance.SystemCertsVerification >>> running at startup FAILED! >>> >>> Are you sure that CA is running? >>> # ipactl status >>> *Yes, CA is runnig, * >>> >>> *[root at caer ~]# ipactl status* >>> Directory Service: RUNNING >>> KDC Service: RUNNING >>> KPASSWD Service: RUNNING >>> DNS Service: RUNNING >>> MEMCACHE Service: RUNNING >>> HTTP Service: RUNNING >>> CA Service: RUNNING >>> >>> This looks like that self test fail and therefore CA >>> shouldn't start. It >>> also says that some of CA cert is not valid. Which one might >>> be seen in >>> /var/log/pki-ca/debug but a bigger chunk would be needed. >>> >>> *[root at caer ~]# tail -100 /var/log/pki-ca/debug * >>> >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 1 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721114829Z >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In >>> DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: >>> (certStatus=REVOKED) attrs: >>> [objectclass, certRevokedOn, certRecordId, certRevoInfo, >>> notAfter, >>> x509cert] pageSize -200 startFrom 20160721114829Z >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 3 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries >>> returning 0 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting >>> Virtual List size: 0 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be >>> empty >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: >>> updateCertStatus done >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting >>> cert checkRanges >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial >>> numbers left in >>> range: 268369849 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial >>> Number: 71 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial >>> Numbers >>> available: 268369849 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert >>> checkRanges done >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting >>> request checkRanges >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial >>> numbers left in >>> range: 9989888 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial >>> Number: 112 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial >>> Numbers >>> available: 9989888 >>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request >>> checkRanges done >>> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: >>> getPasswordStore(): password >>> store initialized before. >>> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: >>> getPasswordStore(): password >>> store initialized. >>> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: >>> getPasswordStore(): password >>> store initialized before. >>> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: >>> getPasswordStore(): password >>> store initialized. >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to >>> start >>> updateCertStatus >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >>> updateCertStatus (entered lock) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> updateCertStatus() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >>> is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getInvalidCertificatesByNotBeforeDate filter >>> (certStatus=INVALID) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getInvalidCertificatesByNotBeforeDate: about to call >>> findCertRecordsInList >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >>> is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: >>> (certStatus=INVALID) attrs: >>> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >>> 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> getInvalidCertsByNotBeforeDate finally. >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 3 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries >>> returning 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting >>> Virtual List size: 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be >>> empty >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >>> is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getValidCertsByNotAfterDate filter (certStatus=VALID) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >>> is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: (certStatus=VALID) >>> attrs: >>> [objectclass, certRecordId, x509cert] pageSize -200 startFrom >>> 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 3 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries >>> returning 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting >>> Virtual List >>> size: 14 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> transidValidCertificates: list size: 14 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> transitValidCertificates: ltSize 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getElementAt: 0 mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse >>> direction >>> getting index 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does >>> not >>> qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul >>> 21 11:58:29 >>> EDT 2016 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> transitCertList EXPIRED >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >>> is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getRevokedCertificatesByNotAfterDate filter >>> (certStatus=REVOKED) >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> getRevokedCertificatesByNotAfterDate: about to call >>> findCertRecordsInList >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> LdapBoundConnFactory::getConn() >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn >>> is connected: >>> true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> conn is >>> connected true >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: >>> mNumConns now 1 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In >>> DBVirtualList filter >>> attrs startFrom sortKey pageSize filter: >>> (certStatus=REVOKED) attrs: >>> [objectclass, certRevokedOn, certRecordId, certRevoInfo, >>> notAfter, >>> x509cert] pageSize -200 startFrom 20160721115829Z >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 2 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: >>> mNumConns now 3 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries >>> returning 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting >>> Virtual List size: 0 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be >>> empty >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: >>> updateCertStatus done >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >>> cert checkRanges >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial >>> numbers left in >>> range: 268369849 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial >>> Number: 71 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial >>> Numbers >>> available: 268369849 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert >>> checkRanges done >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting >>> request checkRanges >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial >>> numbers left in >>> range: 9989888 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial >>> Number: 112 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial >>> Numbers >>> available: 9989888 >>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request >>> checkRanges done >>> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: >>> getPasswordStore(): password >>> store initialized before. >>> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: >>> getPasswordStore(): password >>> store initialized. >>> >>> On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik >>> >>> >> >>> wrote: >>> >>> On 07/21/2016 05:14 PM, Linov Suresh wrote: >>> > I set debug=true in /etc/ipa/default.conf >>> > >>> > Here are my logs, >>> >>> The httpd_error log doesn't contain the part where `ipa >>> cert-show 1` was >>> run. If it is from the same time. Does `ipa cert-show` >>> communicate with >>> the same replica? Could be verified by `ipa -vv >>> cert-show` >>> >>> But more interesting is: >>> >>> SelfTestSubsystem: The CRITICAL self test plugin called >>> selftests.container.instance.SystemCertsVerification >>> running at startup >>> FAILED! >>> >>> Are you sure that CA is running? >>> # ipactl status >>> >>> This looks like that self test fail and therefore CA >>> shouldn't start. It >>> also says that some of CA cert is not valid. Which one >>> might be seen in >>> /var/log/pki-ca/debug but a bigger chunk would be >>> needed. >>> >>> > >>> > *[root at caer ~]# tail -f /var/log/httpd/error_log* >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI >>> WSGIExecutioner.__call__: >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: >>> user_show(u'admin', >>> > rights=False, all=False, raw=False, version=u'2.46') >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> user_show(u'admin', rights=False, >>> > all=False, raw=False, version=u'2.46') >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> get_memberof: >>> > >>> entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net >>> > >>> >>> >>> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=replication >>> > >>> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > replication >>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=modify replication >>> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=remove >>> > replication >>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=unlock user >>> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=manage >>> > service >>> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=trust >>> admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=host >>> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=manage host >>> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=enroll a >>> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add host >>> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > krbprincipalname to a >>> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> get_memberof: result >>> > >>> >>> >>> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=trust >>> admins,cn=groups,cn=accounts,dc=teloip,dc=net')] >>> > indirect=[ipapython.dn.DN('cn=replication >>> > >>> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > replication >>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=modify replication >>> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=remove >>> > replication >>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=unlock user >>> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=manage >>> > service >>> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=host >>> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), >>> > ipapython.dn.DN('cn=manage host >>> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=enroll a >>> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add host >>> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), >>> ipapython.dn.DN('cn=add >>> > krbprincipalname to a >>> host,cn=permissions,cn=pbac,dc=teloip,dc=net')] >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: >>> admin at TELOIP.NET >>> > >>> > >>> >>: >>> >>> user_show(u'admin', rights=False, all=False, >>> > raw=False, version=u'2.46'): SUCCESS >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> response: entries returned 1 >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> Destroyed connection context.ldap2 >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: >>> reading ccache data from file >>> > "/var/run/ipa_memcached/krbcc_13554" >>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store >>> session: >>> > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d >>> start_timestamp=2016-07-21T10:43:26 >>> > access_timestamp=2016-07-21T11:00:38 >>> expiration_timestamp=2016-07-21T11:20:38 >>> > >>> > *[root at caer ~]# tail -f /var/log/pki-ca/debug* >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> RequestQueue: curReqId: 9990001 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> getElementAt: 1 mTop 107 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> reverse direction getting index 4 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> RequestQueue: curReqId: 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> RequestQueue: getLastRequestId : >>> > returning value 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> Repository: mLastSerialNo: 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> Serial numbers left in range: >>> > 9989888 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last >>> Serial Number: 112 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> Serial Numbers available: 9989888 >>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: >>> request checkRanges done >>> > >>> > *[root at caer ~]# tail -f >>> /var/log/pki-ca/transactions* >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [20/Jul/2016:17:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,912 last >>> update time: >>> 7/20/16 5:00 PM >>> > next update time: 7/20/16 9:00 PM Number of entries >>> in the CRL: >>> 11 time: 25 CRL >>> > time: 25 delta CRL time: 0 >>> (0,0,0,0,0,0,0,8,17,0,0,25,25) >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [20/Jul/2016:21:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,913 >>> Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true >>> Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [20/Jul/2016:21:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,913 last >>> update time: >>> 7/20/16 9:00 PM >>> > next update time: 7/21/16 1:00 AM Number of entries >>> in the CRL: >>> 11 time: 11 CRL >>> > time: 11 delta CRL time: 0 >>> (0,0,0,0,0,0,0,6,5,0,0,11,11) >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [21/Jul/2016:01:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,914 >>> Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true >>> Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [21/Jul/2016:01:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,914 last >>> update time: >>> 7/21/16 1:00 AM >>> > next update time: 7/21/16 5:00 AM Number of entries >>> in the CRL: >>> 11 time: 13 CRL >>> > time: 13 delta CRL time: 0 >>> (0,0,0,0,0,0,0,6,7,0,0,13,13) >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [21/Jul/2016:05:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,915 >>> Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true >>> Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [21/Jul/2016:05:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,915 last >>> update time: >>> 7/21/16 5:00 AM >>> > next update time: 7/21/16 9:00 AM Number of entries >>> in the CRL: >>> 11 time: 16 CRL >>> > time: 16 delta CRL time: 0 >>> (0,0,0,0,0,0,0,8,8,0,0,16,16) >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [21/Jul/2016:09:00:00 EDT] [20] >>> [1] CRL update >>> > started. CRL ID: MasterCRL CRL Number: 8,916 >>> Delta CRL >>> Enabled: false CRL >>> > Cache Enabled: true Cache Recovery Enabled: true >>> Cache Cleared: >>> false Cache: >>> > 11,0,0,0 >>> > 6563.CRLIssuingPoint-MasterCRL - >>> [21/Jul/2016:09:00:00 EDT] [20] >>> [1] CRL Update >>> > completed. CRL ID: MasterCRL CRL Number: 8,916 last >>> update time: >>> 7/21/16 9:00 AM >>> > next update time: 7/21/16 1:00 PM Number of entries >>> in the CRL: >>> 11 time: 13 CRL >>> > time: 13 delta CRL time: 0 >>> (0,0,0,0,0,0,0,6,7,0,0,13,13) >>> > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] >>> [1] renewal >>> reqID 112 >>> > fromAgent userID: ipara authenticated by >>> certUserDBAuthMgr is >>> completed DN >>> > requested: CN=CA Audit,O=TELOIP.NET >>> >>> cert issued serial >>> > number: 0x47 time: 39 >>> > >>> > *[root at caer ~]# tail -f >>> /var/log/pki-ca/selftests.log* >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading all >>> > self test plugin logger parameters >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading all >>> > self test plugin instances >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading all >>> > self test plugin instance parameters >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading >>> > self test plugins in on-demand order >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: loading >>> > self test plugins in startup order >>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] >>> SelfTestSubsystem: Self test >>> > plugins have been successfully loaded! >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> SelfTestSubsystem: Running self >>> > test plugins specified to be executed at startup: >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> CAPresence: CA is present >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> SystemCertsVerification: system >>> > certs verification failure >>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] >>> SelfTestSubsystem: The CRITICAL >>> > self test plugin called >>> selftests.container.instance.SystemCertsVerification >>> > running at startup FAILED! >>> > >>> > But intrestingly, [root at caer ~]# ipa cert-show 1 >>> returns "*ipa: >>> ERROR: >>> > Certificate operation cannot be completed: Unable to >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rolf at glptrading.com Fri Jul 22 15:01:59 2016 From: rolf at glptrading.com (Rolf Brusletto) Date: Fri, 22 Jul 2016 09:01:59 -0600 Subject: [Freeipa-users] ipa-adtrust-install failing at samba restart Message-ID: I've been following the doc here: https://www.freeipa.org/page/Active_Directory_trust_setup To get AD Trust setup for auth of our windows users and vice-versae. I'm getting to the point of running ipa-adtrust-install and getting the following: [root at awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: stopping smbd [2/23]: creating samba domain object Samba domain object already exists [3/23]: creating samba config registry [4/23]: writing samba config file [5/23]: adding cifs Kerberos principal [6/23]: adding cifs and host Kerberos principals to the adtrust agents group [7/23]: check for cifs services defined on other replicas [8/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/23]: adding RID bases RID bases already set, nothing to do [11/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/23]: configuring smbd to start on boot [15/23]: adding special DNS service records [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group Fallback group already set, nothing to do [19/23]: adding Default Trust View Default Trust View already exists. [20/23]: setting SELinux booleans [21/23]: enabling oddjobd [22/23]: starting CIFS services ipa : CRITICAL CIFS services failed to start [23/23]: adding SIDs to existing users and groups ipa : CRITICAL Failed to load ipa-sidgen-task-run.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpiM6PLp' '-H' 'ldapi://%2fvar%2frun%2fslapd-GLPTRADING-NET.socket' '-Y' 'EXTERNAL'' returned non-zero exit status 1 Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds ============================================================================= As well, if I run it with the default settings smbd doesn't start either. [root at awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/21]: stopping smbd [2/21]: creating samba domain object Samba domain object already exists [3/21]: creating samba config registry [4/21]: writing samba config file [5/21]: adding cifs Kerberos principal [6/21]: adding cifs and host Kerberos principals to the adtrust agents group [7/21]: check for cifs services defined on other replicas [8/21]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/21]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/21]: adding RID bases RID bases already set, nothing to do [11/21]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/21]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/21]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/21]: configuring smbd to start on boot [15/21]: adding special DNS service records [16/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [17/21]: adding fallback group Fallback group already set, nothing to do [18/21]: adding Default Trust View Default Trust View already exists. [19/21]: setting SELinux booleans [20/21]: enabling oddjobd [21/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds ============================================================================= Hostname is fqdn. Packages: ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server-trust-ad.x86_64 4.2.0-15.0.1.el7.centos.17 @updates libipa_hbac.x86_64 1.13.0-40.el7_2.9 @updates python-libipa_hbac.x86_64 1.13.0-40.el7_2.9 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.9 @updates ------------------------------- If I restart smb, I get the following log entries in /var/log/samba/log.smbd: [2016/07/22 15:00:17, 0] ../source3/smbd/server.c:1241(main) smbd version 4.2.10 started. Copyright Andrew Tridgell and the Samba Team 1992-2014 [2016/07/22 15:00:17.486910, 0] ipa_sam.c:3703(ipasam_search_domain_info) iapsam_search_domain_info: Got [5] domain info entries, but expected only 1. [2016/07/22 15:00:17.487212, 0] ipa_sam.c:4558(pdb_init_ipasam) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. [2016/07/22 15:00:17.487407, 0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-.socket did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) Does anybody have any ideas here? Best regards, Rolf Brusletto Senior Network And Systems Admin Global Liquidity Partners, LLC rolf at glptrading.com 720-763-8163 office 303-638-8013 mobile -- *Confidentiality Notice: This email, including attachments, may include non-public, proprietary, confidential or legally privileged information. If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rolf at glptrading.com Tue Jul 26 14:26:09 2016 From: rolf at glptrading.com (Rolf Brusletto) Date: Tue, 26 Jul 2016 08:26:09 -0600 Subject: [Freeipa-users] ipa-adtrust-install failing at samba restart Message-ID: I've been following the doc here: https://www.freeipa.org/page/Active_Directory_trust_setup To get AD Trust setup for auth of our windows users and vice-versae. I'm getting to the point of running ipa-adtrust-install and getting the following: [root at awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: stopping smbd [2/23]: creating samba domain object Samba domain object already exists [3/23]: creating samba config registry [4/23]: writing samba config file [5/23]: adding cifs Kerberos principal [6/23]: adding cifs and host Kerberos principals to the adtrust agents group [7/23]: check for cifs services defined on other replicas [8/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/23]: adding RID bases RID bases already set, nothing to do [11/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/23]: configuring smbd to start on boot [15/23]: adding special DNS service records [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group Fallback group already set, nothing to do [19/23]: adding Default Trust View Default Trust View already exists. [20/23]: setting SELinux booleans [21/23]: enabling oddjobd [22/23]: starting CIFS services ipa : CRITICAL CIFS services failed to start [23/23]: adding SIDs to existing users and groups ipa : CRITICAL Failed to load ipa-sidgen-task-run.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpiM6PLp' '-H' 'ldapi://%2fvar%2frun%2fslapd-GLPTRADING-NET.socket' '-Y' 'EXTERNAL'' returned non-zero exit status 1 Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds ============================================================================= As well, if I run it with the default settings smbd doesn't start either. [root at awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/21]: stopping smbd [2/21]: creating samba domain object Samba domain object already exists [3/21]: creating samba config registry [4/21]: writing samba config file [5/21]: adding cifs Kerberos principal [6/21]: adding cifs and host Kerberos principals to the adtrust agents group [7/21]: check for cifs services defined on other replicas [8/21]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/21]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/21]: adding RID bases RID bases already set, nothing to do [11/21]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/21]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/21]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/21]: configuring smbd to start on boot [15/21]: adding special DNS service records [16/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [17/21]: adding fallback group Fallback group already set, nothing to do [18/21]: adding Default Trust View Default Trust View already exists. [19/21]: setting SELinux booleans [20/21]: enabling oddjobd [21/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds ============================================================================= Hostname is fqdn. Packages: ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.17 @updates ipa-server-trust-ad.x86_64 4.2.0-15.0.1.el7.centos.17 @updates libipa_hbac.x86_64 1.13.0-40.el7_2.9 @updates python-libipa_hbac.x86_64 1.13.0-40.el7_2.9 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.9 @updates ------------------------------- If I restart smb, I get the following log entries in /var/log/samba/log.smbd: [2016/07/22 15:00:17, 0] ../source3/smbd/server.c:1241(main) smbd version 4.2.10 started. Copyright Andrew Tridgell and the Samba Team 1992-2014 [2016/07/22 15:00:17.486910, 0] ipa_sam.c:3703(ipasam_search_domain_info) iapsam_search_domain_info: Got [5] domain info entries, but expected only 1. [2016/07/22 15:00:17.487212, 0] ipa_sam.c:4558(pdb_init_ipasam) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. [2016/07/22 15:00:17.487407, 0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-.socket did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) Does anybody have any ideas here? Best regards, Rolf Brusletto -- *Confidentiality Notice: This email, including attachments, may include non-public, proprietary, confidential or legally privileged information. If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Tue Jul 26 16:18:17 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Tue, 26 Jul 2016 12:18:17 -0400 Subject: [Freeipa-users] Replica install fails when using --setup-ca Message-ID: I tried to create master replica using the option --setup-ca, it failed, because of "Your system may be partly configured." Please note we use different ipa package for master and replica. master: [root at caer ~]# rpm -q ipa-server ipa-server-3.0.0-26.el6_4.2.x86_64 replica: [root at neit-lab01 ~]# rpm -q ipa-server ipa-server-3.0.0-50.el6.1.x86_64 *Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with Dogtag 10 PKI (#1083878)"* If yes, how do we fix it? Your help is appreciated. [root at neit-lab01 ipa]#* ipa-replica-install --setup-dns --setup-ca --no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg* Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'caer.teloip.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at TELOIP.NET password: Execute check on remote master Check connection from master to remote replica 'neit-lab01.teloip.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname neit-lab01.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-t5u9YQ -client_certdb_pwd XXXXXXXX -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host neit-lab01.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET -ca_server_cert_subject_name CN=neit-lab01.teloip.net,O=TELOIP.NET -ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET -ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://caer.teloip.net:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed -------------- next part -------------- An HTML attachment was scrubbed... URL: From linov.suresh at gmail.com Tue Jul 26 16:20:37 2016 From: linov.suresh at gmail.com (Linov Suresh) Date: Tue, 26 Jul 2016 12:20:37 -0400 Subject: [Freeipa-users] Could not find cert: Signing-Cert : File not found In-Reply-To: References: <57968DC5.9030308@redhat.com> Message-ID: I was following the same documentation as IPA master for the replica for the certificate renewal. But was unsuccessful. Should we use "How do I manually renew Identity Management (IPA) certificates after they have expired? (Replica IPA Server)" - https://access.redhat.com/solutions/962373 ? On Mon, Jul 25, 2016 at 6:17 PM, Linov Suresh wrote: > We were not sure that Signing-Cert required for LDAP/Apache certificates > renewal. Thank you very much for your update Rob. We are going to renew the > certificates without Signing-Cert. > > On Mon, Jul 25, 2016 at 6:08 PM, Rob Crittenden > wrote: > >> Linov Suresh wrote: >> >>> We are using CentOS 6.4/FreeIPA 3.0.0 >>> >>> LDAP/Apache certificates were expired and when we tried to renew, we >>> found Signing-Cert is missing. >>> >>> # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not >>> find cert: Signing-Cert : File not found >>> >>> How do we recreate Signing-Cert certificate? We use master-master >>> replica. Please help. >>> >>> >>> >> Only the initial master got a signing cert IIRC. It was used to sign the >> Firefox configuration jar. Are you using this? Recent versions of Firefox >> don't allow this kind of signed jar anymore and it has been dropped >> upstream. >> >> Are you just trying to be thorough or is this causing some real problem? >> >> rob >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jstephen at redhat.com Tue Jul 26 19:37:43 2016 From: jstephen at redhat.com (Justin Stephenson) Date: Tue, 26 Jul 2016 15:37:43 -0400 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <1648113236.2160185.1469458459691.JavaMail.zimbra@elostech.cz> References: <2075307509.1969878.1469016947349.JavaMail.zimbra@elostech.cz> <41e4334c-531f-0074-cc78-33668d319676@redhat.com> <1251970902.1975397.1469028637999.JavaMail.zimbra@elostech.cz> <20160720160629.bietw7md672bm22c@redhat.com> <912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz> <148211644.2050248.1469193591355.JavaMail.zimbra@elostech.cz> <1648113236.2160185.1469458459691.JavaMail.zimbra@elostech.cz> Message-ID: <663d6ce4-c112-abad-5711-4e2af09312ef@redhat.com> As Alexander mentioned, the LDAP schema still exists to add POSIX attributes to users and groups in AD but IDMU simply provides a convenient Graphical interface to manage this. You should still be able to use powershell or other windows tools to modify POSIX attributes going forward, but in general a lot of users are moving towards sssd automatic ID mapping which means there is no administrative management of uid/gid values. There may be some other purpose for IDMU that I am not aware of... Kind regards, Justin Stephenson On 07/25/2016 10:54 AM, Jan Kar?sek wrote: > Hi, > > just for the clarification: > > Do I really need IDMU on AD side installed for IPA-AD trust with > -range-type=ipa-ad-trust-posix ? In W2012 all POSIX attributes are > already in schema and idrange type can be forced. I just tried to > remove IDMU from my AD and it's still working. What is the role of > IDMU other than allowing to autodetect POSIX idrange type via > the msSFU30OrderNumber msSFU30MaxUidNumber attributes ? > > Regards, > Jan > > ------------------------------------------------------------------------ > *From: *"Jan Kar?sek" > *To: *"Justin Stephenson" > *Cc: *"Alexander Bokovoy" , freeipa-users at redhat.com > *Sent: *Friday, July 22, 2016 3:19:51 PM > *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes > > Hi, > > thanks a lot for help guys. It's working now. I can successfully read > POSIX attributes from AD. > > Just now I'am storring uidNumber, gidNumber, gecos, loginShell and > unixHomeDirectory in AD. > > I have trouble with homedir. It's using subdomain_homedir from > sssd.conf and not reflecting the value of unixHomeDirectory attribute. > > Is there any way to use value from AD not from subdomain_homedir > template for this parameter ? > > Regards, > Jan > ------------------------------------------------------------------------ > *From: *"Justin Stephenson" > *To: *"Jan Kar?sek" , "Alexander Bokovoy" > > *Cc: *freeipa-users at redhat.com > *Sent: *Thursday, July 21, 2016 3:54:25 PM > *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes > > Hello, > > You should remove the following from sssd.conf: > > /[domain/example.tt]// > //debug_level = 7// > //ldap_id_mapping = False// > //id_provider = ad/ > > With the AD trust configuration, you do not need to specify any > additional domain because IPA will contact AD across the trust using > the external and POSIX groups you created during the trust setup. > > Once done try restarting sssd and removing the /var/lib/sss/db/* cache > > Kind regards, > Justin Stephenson > > On 07/21/2016 07:56 AM, Jan Kar?sek wrote: > > Thank you. > > Now I have IDMU installed and when creating trust, IPA is > correctly autodetecting the range type: > > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 10000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: > S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > When asking for uid of the AD user: > > [root at ipa1 sssd]# id user1 at example.tt > uid=1392001119(user1 at example.tt) gid=1392001119(user1 at example.tt) > groups=1392001119(user1 at example.tt),1392000513(domain > users at example.tt),979000007(external_users) > > > ... so ID-mapping is still in action. > > According to doc: > > To use existing POSIX attributes, two things must be configured: > > * > The POSIX attributes must be published to Active Directory's > global catalog. - done with uidNumber, gidNumber > * > ID mapping (|ldap_id_mapping| in the Active Directory domain > entry) must be disabled in SSSD. - done > > Here is my sssd.conf from IPA server. Is there anything else I > should do to switch off ID-mapping ? > > [domain/a.example.tt] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [domain/example.tt] > debug_level = 7 > ldap_id_mapping = False > id_provider = ad > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > domains = a.example.tt, example.tt > > [nss] > #debug_level = 5 > #homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > #debug_level = 5 > [sudo] > > [autofs] > > [ssh] > #debug_level = 4 > [pac] > > #debug_level = 4 > [ifp] > > > Regards, > Jan > ------------------------------------------------------------------------ > *From: *"Alexander Bokovoy" > *To: *"Jan Kar?sek" > *Cc: *"Justin Stephenson" , > freeipa-users at redhat.com > *Sent: *Wednesday, July 20, 2016 6:06:29 PM > *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes > > On Wed, 20 Jul 2016, Jan Kar?sek wrote: > >Hi, > > > >thank you. > > > >ldapsearch reply: > > > >search: 2 > >result: 32 No such object > >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt > >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), > data 0, best > >match of: > >'CN=RpcServices,CN=System,DC=rwe,DC=tt' > > > >actually when I look under the > CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. > > > >Do I missed to set something on the AD site ? > Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft > removed IDMU tools. The LDAP schema will stay but there will > be no means to visually edit POSIX attributes. > > https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ > > > > > > >Thanks, > >Jan > > > > > > > > > > > > > > > >From: "Justin Stephenson" > >To: "Jan Kar?sek" > >Cc: freeipa-users at redhat.com > >Sent: Wednesday, July 20, 2016 4:09:02 PM > >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > > > > > >These attributes should be available from port 389 and not the > global catalog, please try a command such as: > > > >ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W > -b > "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" > msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber > > > >Replacing the root suffix in the search base, the ip-address and > bind credentials. > > > >Kind regards, > >Justin Stephenson > > > >On 07/20/2016 08:15 AM, Jan Kar?sek wrote: > > > > > > > >Hi, > > > >thank you for the hint. > > > >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: > > > >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. > > > >If I understand it right, it is base uid number and the number of > uids in range. > > > >If not discovered nor given via CLI, then it generate random base > and add some default_range_size. > > > >So these two attributes must be set to use ipa-ad-trust-posix range ? > > > >Could anybody help me how and where to check these attributes ? I > have looked in the ldapsearch dump from my AD(Global calaog) and I > can see these attributes only in schema - so no values assigned. > >I'm using W2012 R2. > > > >Thank you, > >Jan > > > > > > > >From: "Justin Stephenson" > >To: "Jan Kar?sek" , > freeipa-users at redhat.com > >Sent: Tuesday, July 19, 2016 8:36:00 PM > >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > > > >Hello, > > > >When adding the AD trust using 'ipa-ad-trust-posix' range type > then IPA will search AD for the ID space of existing POSIX > attributes to automatically create a suitable ID range inside IPA. > > > >You can check the exact steps and attributes searched by looking > at the add_range function definition in > /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py > > > >I would suggest reviewing the output of 'ipa idrange-find' to > confirm that the range matches up with the uid and gidNumbers of > your AD environment. > > > >Kind regards, > >Justin Stephenson > > > >On 07/19/2016 09:44 AM, Jan Kar?sek wrote: > > > >BQ_BEGIN > > > >Hi, > > > >I am still fighting with storing user's POSIX attributes in AD. > Please can anybody provide some simple reference settings of > IPA-AD trust where users are able to get uid from AD - not from > IPA ID pool ? > > > >I have tried to set values of attributes before and after > creating trust, I have tried different sssd setting but I'm still > getting uid from IPA idrange pool instead of from AD user's attribute. > > > >What exactly is IPA checking when it tries to decide what type of > trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ? > > > >Do I have to mandatory fill some AD user's attributes to get it > work ? Currently I'am testing just with uidNumber and gidNumber. > > > >There is almost no documentation about this topic so I don't know > what else I can try ... > > > >Thanks for help, > > > >Jan > > > > > > > >Date: Tue, 21 Jun 2016 21:38:15 +0200 > >From: Jakub Hrozek > >To: freeipa-users at redhat.com > >Subject: Re: [Freeipa-users] AD trust with POSIX attributes > >Message-ID: <20160621193815.GS29512 at hendrix> > >Content-Type: text/plain; charset=iso-8859-1 > > > >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > >> Hi all, > >> > >> I have a questions about IPA with AD forest trust. What I am > trying to do is setup environment, where all informations about > users are stored in one place - AD. I would like to read at least > uid, home, shell and sshkey from AD. > >> > >> I have set up trust with this parameters: > >> > >> ipa trust-add EXAMPLE.TT --type=ad > --range-type=ipa-ad-trust-posix --admin=administrator > > > >Did you add the POSIX attributes to AD after creating the trust > maybe? > > > >> > >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > >> Range name: EXAMPLE.TT_id_range > >> First Posix ID of the range: 1392000000 > >> Number of IDs in the range: 200000 > >> Domain SID of the trusted domain: > S-1-5-21-4123312533-990676102-3576722756 > >> Range type: Active Directory trust range with POSIX attributes > >> > >> > >> I have set attributes in AD for user at EXAMPLE.TT > >> - uidNumber -10000 > >> - homeDirectory -/home/user > >> - loginShell - /bin/bash > >> > >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT , > I can run id and getent passwd user at example.tt and I can use > user at example.tt for ssh. > >> > >> Problem is, that I am not getting uid from AD but from idrange: > >> > >> uid=1392001107( user at example.tt ) > >> > >> Also I have tried to switch off id mapping in sssd.conf with > ldap_id_mapping = true in sssd.conf but no luck. > > > >This has no effect, in IPA-AD trust scenario, the id mapping > properties > >are managed on the server. > > > >> > >> I know, that it is probably better to use ID views for this, > but in our case we need to set centrally managed environment, > where all users information are externally inserted to AD from HR > system - included POSIX attributes and we need IPA to read them > from AD. > > > >I think idviews are better for overriding POSIX attributes for a > >specific set of hosts, but in your environment, it sounds like > you want > >to use the POSIX attributes across the board. > > > >> > >> So my questions are: > >> > >> Is it possible to read user's POSIX attributes directly from AD > - namely uid ? > > > >Yes > > > >> Which atributes can be stored in AD ? > > > >Homedir is a bit special, for backwards compatibility the > >subdomains_homedir takes precedence. The others should be read > from AD. > > > >I don't have the environment set at the moment, though, so I'm > operating > >purely from memory. > > > >> Am I doing something wrong ? > >> > >> my sssd.conf: > >> [domain/a.example.tt] > >> debug_level = 5 > >> cache_credentials = True > >> krb5_store_password_if_offline = True > >> ipa_domain = a.example.tt > >> id_provider = ipa > >> auth_provider = ipa > >> access_provider = ipa > >> ipa_hostname = ipa1.a.example.tt > >> chpass_provider = ipa > >> ipa_server = ipa1.a.example.tt > >> ipa_server_mode = True > >> ldap_tls_cacert = /etc/ipa/ca.crt > >> #ldap_id_mapping = true > >> #subdomain_inherit = ldap_user_principal > >> #ldap_user_principal = nosuchattribute > >> > >> [sssd] > >> services = nss, sudo, pam, ssh > >> config_file_version = 2 > >> > >> domains = a.example.tt > >> [nss] > >> debug_level = 5 > >> homedir_substring = /home > >> enum_cache_timeout = 2 > >> entry_negative_timeout = 2 > >> > >> > >> [pam] > >> debug_level = 5 > >> [sudo] > >> > >> [autofs] > >> > >> [ssh] > >> debug_level = 4 > >> [pac] > >> > >> debug_level = 4 > >> [ifp] > >> > >> Thanks, > >> Jan > > > > > > > > > > > > > > > > > > > > > > > > > >BQ_END > > > > > > >-- > >Manage your subscription for the Freeipa-users mailing list: > >https://www.redhat.com/mailman/listinfo/freeipa-users > >Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 26 21:22:47 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2016 17:22:47 -0400 Subject: [Freeipa-users] IPA certificates expired, please help! In-Reply-To: References: <578F85E2.7010704@redhat.com> <578FC170.20405@redhat.com> <7c432ec3-b5aa-e959-c3d7-0f43ae329513@redhat.com> <8e6df972-552b-dcd2-ff29-8398cb85e458@redhat.com> <5790F710.8040900@redhat.com> <579269D8.6040601@redhat.com> Message-ID: <5797D4A7.10804@redhat.com> Linov Suresh wrote: > Removed the duplicate certificates and and tried to renew the > certificates, we were able to renew the certificates and "*ca-error: > Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true"*." > gone this time. > > Thanks for your help. We have a master replica also, *how do we renew > the replica server*? Pretty much the same way: go back in time. If you have a CA on this other master then it can fetch the subsystem certs directly from LDAP so that should pretty much work no matter what the current date is. For the certs for 389-ds and Apache you'll probably need to go back in time to when they are still valid. rob > > On Fri, Jul 22, 2016 at 3:36 PM, Linov Suresh > wrote: > > Thank you very much Rob. > Let me remove the duplicate certificates and try to renew the > certificates again to see if "*ca-error: Internal error: no response > to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true"*." > goes away? > > > On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden > wrote: > > Linov Suresh wrote: > > Could you please verify, if we have set correct trust > attributes on the > certificates > > *root at caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* > > Certificate Nickname > Trust > Attributes > > SSL,S/MIME,JAR/XPI > > subsystemCert cert-pki-ca > u,u,Pu > ocspSigningCert cert-pki-ca > u,u,u > caSigningCert cert-pki-ca > CTu,Cu,Cu > subsystemCert cert-pki-ca > u,u,Pu > Server-Cert cert-pki-ca > u,u,u > auditSigningCert cert-pki-ca > u,u,Pu > * > * > *[root at caer ~]# certutil -d /etc/httpd/alias/ -L* > > Certificate Nickname > Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert > u,u,u > Server-Cert u,u,u > TELOIP.NET IPA CA > CT,C,C > ipaCert > u,u,u > Signing-Cert u,u,u > Server-Cert u,u,u > > *[root at caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L* > > Certificate Nickname > Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert > u,u,u > TELOIP.NET IPA CA > CT,,C > Server-Cert > u,u,u > [root at caer ~]# > > *Please note, there are duplicate certificates in CA, HTTP > and LDAP > directory, subsystemCert cert-pki-ca, ipaCert and > Server-Cert. I was > wondering if we need to remove these duplicate certificates? * > > > Yeah you should remove the duplicate certs, they seem to cause > problems with dogtag at least (certmonger _should_ handle this > automatically, we'll be looking into it soonish). > > To remove the duplicate cert: > > 1. Shutdown the service > 2. Back up the NSS database > 3. certutil -L -d /path/to/db -n -a > somefile > 4. split somefile into separate files so each file as a > BEGIN/END certificate > 5. openssl x509 -text -in -infile somefile1..n > 6. Pick the one with the most recent issuance date > 7. You backed up the NSS database, right? > 8. certutil -D -d /path/to/db -n > 9. certutil -A -d /path/to/db -n -t u,u,u -a -i > somefilex > 10. Start the service, watch logs for errors > > For the trust use whatever the original trust value was. > > You don't need the P trust flag on the subsystemCert in the CA, > only the auditSigningCert. > > I doubt the duplicated Server-Cert will be a problem. NSS is > supposed to deal with this automatically, picking the "most > correct" cert to use based on the validity period. > > rob > > > > On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh > > >> wrote: > > I'm facing another issue now, my kerberos tickets are > not renewing, > > *[root at caer ~]# ipa cert-show 1* > ipa: ERROR: Ticket expired > > *[root at caer ~]# klist* > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > > > Valid starting Expires Service principal > 07/20/16 14:42:26 07/21/16 14:42:22 > krbtgt/TELOIP.NET at TELOIP.NET > > > 07/20/16 14:42:36 07/21/16 14:42:22 > HTTP/caer.teloip.net at TELOIP.NET > > > > 07/21/16 11:40:15 07/21/16 14:42:22 > ldap/caer.teloip.net at TELOIP.NET > > > > > I need to manually renew the tickets every day, > > *[root at caer ~]# kinit admin* > Password for admin at TELOIP.NET > >: > Warning: Your password will expire in 6 days on Thu Jul > 28 15:20:15 2016 > > *[root at caer ~]# klist * > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at TELOIP.NET > > > > Valid starting Expires Service principal > 07/22/16 09:34:52 07/23/16 09:34:49 > krbtgt/TELOIP.NET at TELOIP.NET > > > > > On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden > > >> > wrote: > > Linov Suresh wrote: > > The httpd_error log doesn't contain the part > where `ipa > cert-show 1` was > run. If it is from the same time. > > *I am not sure about that, please see > httpd_error when `ipa > cert-show 1` > was run* > > > The IPA API log isn't going to show much in this case. > > Requests to the CA are proxied through IPA. The CA > WAR is not > running on tomcat so when Apache tries to proxy the > request > tomcat returns a 404, Not Found. > > You need to start with the dogtag debug and > selftest logs to see > what is going on. The logs are pretty verbose and > can be > challenging to read. > > rob > > > [root at caer ~]# *tail -f /var/log/httpd/error_log* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > xmlserver_session.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > found session > cookie_id = > bc2c7ed0eccd840dc266efaf9ece913c > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > found session > data in > cache with id=bc2c7ed0eccd840dc266efaf9ece913c > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > xmlserver_session.__call__: > session_id=bc2c7ed0eccd840dc266efaf9ece913c > start_timestamp=2016-07-21T11:58:54 > access_timestamp=2016-07-21T12:01:21 > expiration_timestamp=2016-07-21T12:18:54 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > storing > ccache data into > file "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > get_credential_times: > principal=HTTP/caer.teloip.net at TELOIP.NET > > > > > >>, authtime=07/21/16 > 10:31:46, > starttime=07/21/16 10:43:26, endtime=07/22/16 > 10:31:44, > renew_till=12/31/69 19:00:00 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > get_credential_times: > principal=HTTP/caer.teloip.net at TELOIP.NET > > > > > >>, authtime=07/21/16 > 10:31:46, > > starttime=07/21/16 10:43:26, endtime=07/22/16 > 10:31:44, > renew_till=12/31/69 19:00:00 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > KRB5_CCache > FILE:/var/run/ipa_memcached/krbcc_13554 > endtime=1469197904 > (07/22/16 > 10:31:44) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > set_session_expiration_time: > duration_type=inactivity_timeout > duration=1200 max_age=1469197604 > expiration=1469118081.77 > (2016-07-21T12:21:21) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > xmlserver.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > Created > connection > context.ldap2 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: > cert_show(u'1') > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > cert_show(u'1') > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > IPA: virtual > verify > retrieve certificate > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > ipaserver.plugins.dogtag.ra.get_certificate() > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > https_request > > 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial' > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > https_request > post > 'xml=true&serialNumber=1' > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > NSSConnection > init > caer.teloip.net > > > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > Connecting: > 10.20.0.75:0 > > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > auth_certificate_callback: check_sig=True > is_server=False > *.* > *.* > *.* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > approved_usage = > SSLServer intended_usage = SSLServer > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > cert valid > True for > "CN=caer.teloip.net > > ,O=TELOIP.NET > > " > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > handshake > complete, peer > = 10.20.0.75:443 > > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > auth_certificate_callback: check_sig=True > is_server=False > *.* > *.* > *.* > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > approved_usage = > SSLServer intended_usage = SSLServer > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > cert valid > True for > "CN=caer.teloip.net > > ,O=TELOIP.NET > > " > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > handshake > complete, peer > = 10.20.0.75:443 > > [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): > Unable to > communicate > with CMS (Not Found) > [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: > admin at TELOIP.NET > > > >>: > cert_show(u'1'): CertificateOperationError > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > response: > CertificateOperationError: Certificate > operation cannot be > completed: > Unable to communicate with CMS (Not Found) > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > Destroyed > connection > context.ldap2 > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > reading > ccache data from > file "/var/run/ipa_memcached/krbcc_13554" > [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: > store session: > session_id=bc2c7ed0eccd840dc266efaf9ece913c > start_timestamp=2016-07-21T11:58:54 > access_timestamp=2016-07-21T12:01:21 > expiration_timestamp=2016-07-21T12:21:21 > > > Does `ipa cert-show` communicate with the same > replica? Could be > verified by `ipa -vv cert-show` > > *It's asking for the serial number of the > certificate. If I > give 64 > (serial number of ipaCert ), I get ipa: ERROR: > Certificate > operation > cannot be completed: Unable to communicate with > CMS (Not Found)* > > *[root at caer ~]# ipa -vv cert-show* > ipa: DEBUG: importing all plugin modules in > > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > *.* > *.* > *.* > ipa: DEBUG: > stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > > ; Path=/ipa; Expires=Thu, > 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent > storage for > principal > 'admin at TELOIP.NET > > > >>', cookie: > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > > ; Path=/ipa; > Expires=Thu, 21 Jul > 2016 16:25:32 > GMT; Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;' > ipa: INFO: trying > https://caer.teloip.net/ipa/session/xml > ipa: DEBUG: Created connection context.xmlclient > Serial number: 64 > ipa: DEBUG: raw: cert_show(u'64') > ipa: DEBUG: cert_show(u'64') > ipa: INFO: Forwarding 'cert_show' to server > u'https://caer.teloip.net/ipa/session/xml' > ipa: DEBUG: NSSConnection init caer.teloip.net > > > ipa: DEBUG: Connecting: 10.20.0.75:0 > > > send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: > caer.teloip.net > > \r\nAccept-Language: > en-us\r\nReferer: > https://caer.teloip.net/ipa/xml\r\nCookie > > : > > ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent: > xmlrpclib.py/1.0.1 > > (by > www.pythonware.com > > )\r\nContent-Type: > text/xml\r\nContent-Length: 268\r\n\r\n' > ipa: DEBUG: auth_certificate_callback: > check_sig=True > is_server=False > *.* > *.* > *.* > ipa: DEBUG: approved_usage = SSLServer > intended_usage = > SSLServer > ipa: DEBUG: cert valid True for > "CN=caer.teloip.net > > ,O=TELOIP.NET > > " > ipa: DEBUG: handshake complete, peer = > 10.20.0.75:443 > > > send: " > encoding='UTF-8'?>\n\ncert_show\n\n\n\n64\n\n\n\n\n\n\n\n\n" > reply: 'HTTP/1.1 200 Success\r\n' > header: Date: Thu, 21 Jul 2016 16:05:40 GMT > header: Server: Apache/2.2.15 (CentOS) > header: Set-Cookie: > ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > > ; Path=/ipa; Expires=Thu, > 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly > header: Connection: close > header: Content-Type: text/xml; charset=utf-8 > ipa: DEBUG: received Set-Cookie > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > > ; Path=/ipa; > Expires=Thu, 21 Jul > 2016 16:25:40 > GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie > 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; > Domain=caer.teloip.net > > ; Path=/ipa; > Expires=Thu, 21 Jul > 2016 16:25:40 > GMT; Secure; HttpOnly' for principal > admin at TELOIP.NET > > > >> > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:admin at TELOIP.NET > > > > > >> > ipa: DEBUG: stdout=457971704 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl search @s user > ipa_session_cookie:admin at TELOIP.NET > > > > > >> > ipa: DEBUG: stdout=457971704 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl pupdate 457971704 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > body: " > encoding='UTF-8'?>\n\n\n\n\nfaultCode\n4301\n\n\nfaultString\nCertificate > operation cannot be completed: Unable to > communicate with > CMS (Not > > Found)\n\n\n\n\n" > ipa: DEBUG: Caught fault 4301 from server > https://caer.teloip.net/ipa/session/xml: Certificate > operation cannot be > completed: Unable to communicate with CMS (Not > Found) > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Certificate operation cannot be > completed: Unable to > communicate with CMS (Not Found) > [root at caer ~]# > > > But more interesting is: SelfTestSubsystem: The > CRITICAL > self test > plugin called > > selftests.container.instance.SystemCertsVerification > running at startup FAILED! > > Are you sure that CA is running? > # ipactl status > *Yes, CA is runnig, * > > *[root at caer ~]# ipactl status* > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > > This looks like that self test fail and > therefore CA > shouldn't start. It > also says that some of CA cert is not valid. > Which one might > be seen in > /var/log/pki-ca/debug but a bigger chunk would > be needed. > > *[root at caer ~]# tail -100 /var/log/pki-ca/debug * > > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > getConn: > mNumConns now 1 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto > 20160721114829Z > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=REVOKED) attrs: > [objectclass, certRevokedOn, certRecordId, > certRevoInfo, > notAfter, > x509cert] pageSize -200 startFrom 20160721114829Z > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 2 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 3 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > getEntries > returning 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > mTop 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Getting > Virtual List size: 0 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > index may be > empty > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > updateCertStatus done > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Starting > cert checkRanges > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Serial > numbers left in > range: 268369849 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Last Serial > Number: 71 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Serial Numbers > available: 268369849 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > cert > checkRanges done > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Starting > request checkRanges > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Serial > numbers left in > range: 9989888 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Last Serial > Number: 112 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > Serial Numbers > available: 9989888 > [21/Jul/2016:11:48:29][CertStatusUpdateThread]: > request > checkRanges done > [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized before. > [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized. > [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized before. > [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized. > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > About to start > updateCertStatus > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Starting > updateCertStatus (entered lock) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > updateCertStatus() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getInvalidCertificatesByNotBeforeDate filter > (certStatus=INVALID) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getInvalidCertificatesByNotBeforeDate: about to > call > findCertRecordsInList > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: > mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=INVALID) attrs: > [objectclass, certRecordId, x509cert] pageSize > -200 startFrom > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > getInvalidCertsByNotBeforeDate finally. > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getEntries > returning 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Getting > Virtual List size: 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > index may be > empty > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getValidCertsByNotAfterDate filter > (certStatus=VALID) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: > mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=VALID) > attrs: > [objectclass, certRecordId, x509cert] pageSize > -200 startFrom > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getEntries > returning 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Getting > Virtual List > size: 14 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transidValidCertificates: list size: 14 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transitValidCertificates: ltSize 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getElementAt: 0 mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > reverse > direction > getting index 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Record does not > qualify,notAfter Thu Jan 12 09:11:48 EST 2017 > date Thu Jul > 21 11:58:29 > EDT 2016 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > transitCertList EXPIRED > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getRevokedCertificatesByNotAfterDate filter > (certStatus=REVOKED) > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getRevokedCertificatesByNotAfterDate: about to call > findCertRecordsInList > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > LdapBoundConnFactory::getConn() > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > masterConn > is connected: > true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: conn is > connected true > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getConn: > mNumConns now 1 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > findCertRecordsInListRawJumpto with Jumpto > 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In > DBVirtualList filter > attrs startFrom sortKey pageSize filter: > (certStatus=REVOKED) attrs: > [objectclass, certRevokedOn, certRecordId, > certRevoInfo, > notAfter, > x509cert] pageSize -200 startFrom 20160721115829Z > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 2 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > returnConn: > mNumConns now 3 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > getEntries > returning 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > mTop 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Getting > Virtual List size: 0 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > index may be > empty > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > updateCertStatus done > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Starting > cert checkRanges > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Serial > numbers left in > range: 268369849 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Last Serial > Number: 71 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Serial Numbers > available: 268369849 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > cert > checkRanges done > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Starting > request checkRanges > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Serial > numbers left in > range: 9989888 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Last Serial > Number: 112 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > Serial Numbers > available: 9989888 > [21/Jul/2016:11:58:29][CertStatusUpdateThread]: > request > checkRanges done > [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized before. > [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: > getPasswordStore(): password > store initialized. > > On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik > > > >>> > wrote: > > On 07/21/2016 05:14 PM, Linov Suresh wrote: > > I set debug=true in /etc/ipa/default.conf > > > > Here are my logs, > > The httpd_error log doesn't contain the > part where `ipa > cert-show 1` was > run. If it is from the same time. Does > `ipa cert-show` > communicate with > the same replica? Could be verified by > `ipa -vv cert-show` > > But more interesting is: > > SelfTestSubsystem: The CRITICAL self test > plugin called > > selftests.container.instance.SystemCertsVerification > running at startup > FAILED! > > Are you sure that CA is running? > # ipactl status > > This looks like that self test fail and > therefore CA > shouldn't start. It > also says that some of CA cert is not > valid. Which one > might be seen in > /var/log/pki-ca/debug but a bigger chunk > would be needed. > > > > > *[root at caer ~]# tail -f > /var/log/httpd/error_log* > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: WSGI > WSGIExecutioner.__call__: > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: raw: > user_show(u'admin', > > rights=False, all=False, raw=False, > version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: > user_show(u'admin', rights=False, > > all=False, raw=False, version=u'2.46') > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: > get_memberof: > > > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net > > > > > memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=replication > > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > > admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add host > > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a > host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: > get_memberof: result > > > > > direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=trust > > admins,cn=groups,cn=accounts,dc=teloip,dc=net')] > > indirect=[ipapython.dn.DN('cn=replication > > > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=modify replication > > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=remove > > replication > > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=unlock user > > > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=manage > > service > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=host > > enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), > > ipapython.dn.DN('cn=manage host > > > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=enroll a > > > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add host > > > password,cn=permissions,cn=pbac,dc=teloip,dc=net'), > ipapython.dn.DN('cn=add > > krbprincipalname to a > host,cn=permissions,cn=pbac,dc=teloip,dc=net')] > > [Thu Jul 21 11:00:38 2016] [error] ipa: > INFO: > admin at TELOIP.NET > > > >> > > > > >>>: > > user_show(u'admin', rights=False, all=False, > > raw=False, version=u'2.46'): SUCCESS > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: > response: entries returned 1 > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: > Destroyed connection context.ldap2 > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: > reading ccache data from file > > "/var/run/ipa_memcached/krbcc_13554" > > [Thu Jul 21 11:00:38 2016] [error] ipa: > DEBUG: store > session: > > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d > start_timestamp=2016-07-21T10:43:26 > > access_timestamp=2016-07-21T11:00:38 > expiration_timestamp=2016-07-21T11:20:38 > > > > *[root at caer ~]# tail -f > /var/log/pki-ca/debug* > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > RequestQueue: curReqId: 9990001 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > getElementAt: 1 mTop 107 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > reverse direction getting index 4 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > RequestQueue: curReqId: 112 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > RequestQueue: getLastRequestId : > > returning value 112 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > Repository: mLastSerialNo: 112 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > Serial numbers left in range: > > 9989888 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last > Serial Number: 112 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > Serial Numbers available: 9989888 > > > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: > request checkRanges done > > > > *[root at caer ~]# tail -f > /var/log/pki-ca/transactions* > > 6563.CRLIssuingPoint-MasterCRL - > [20/Jul/2016:17:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL > Number: 8,912 last > update time: > 7/20/16 5:00 PM > > next update time: 7/20/16 9:00 PM > Number of entries > in the CRL: > 11 time: 25 CRL > > time: 25 delta CRL time: 0 > (0,0,0,0,0,0,0,8,17,0,0,25,25) > > 6563.CRLIssuingPoint-MasterCRL - > [20/Jul/2016:21:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL > Number: 8,913 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery > Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [20/Jul/2016:21:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL > Number: 8,913 last > update time: > 7/20/16 9:00 PM > > next update time: 7/21/16 1:00 AM > Number of entries > in the CRL: > 11 time: 11 CRL > > time: 11 delta CRL time: 0 > (0,0,0,0,0,0,0,6,5,0,0,11,11) > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:01:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL > Number: 8,914 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery > Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:01:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL > Number: 8,914 last > update time: > 7/21/16 1:00 AM > > next update time: 7/21/16 5:00 AM > Number of entries > in the CRL: > 11 time: 13 CRL > > time: 13 delta CRL time: 0 > (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:05:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL > Number: 8,915 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery > Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:05:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL > Number: 8,915 last > update time: > 7/21/16 5:00 AM > > next update time: 7/21/16 9:00 AM > Number of entries > in the CRL: > 11 time: 16 CRL > > time: 16 delta CRL time: 0 > (0,0,0,0,0,0,0,8,8,0,0,16,16) > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:09:00:00 EDT] [20] > [1] CRL update > > started. CRL ID: MasterCRL CRL > Number: 8,916 > Delta CRL > Enabled: false CRL > > Cache Enabled: true Cache Recovery > Enabled: true > Cache Cleared: > false Cache: > > 11,0,0,0 > > 6563.CRLIssuingPoint-MasterCRL - > [21/Jul/2016:09:00:00 EDT] [20] > [1] CRL Update > > completed. CRL ID: MasterCRL CRL > Number: 8,916 last > update time: > 7/21/16 9:00 AM > > next update time: 7/21/16 1:00 PM > Number of entries > in the CRL: > 11 time: 13 CRL > > time: 13 delta CRL time: 0 > (0,0,0,0,0,0,0,6,7,0,0,13,13) > > 10657.http-9443-2 - > [21/Jul/2016:10:28:19 EDT] [20] > [1] renewal > reqID 112 > > fromAgent userID: ipara authenticated by > certUserDBAuthMgr is > completed DN > > requested: CN=CA Audit,O=TELOIP.NET > > > cert issued serial > > number: 0x47 time: 39 > > > > *[root at caer ~]# tail -f > /var/log/pki-ca/selftests.log* > > 14116.main - [21/Jul/2016:10:58:29 EDT] > [20] [1] > SelfTestSubsystem: loading all > > self test plugin logger parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] > [20] [1] > SelfTestSubsystem: loading all > > self test plugin instances > > 14116.main - [21/Jul/2016:10:58:29 EDT] > [20] [1] > SelfTestSubsystem: loading all > > self test plugin instance parameters > > 14116.main - [21/Jul/2016:10:58:29 EDT] > [20] [1] > SelfTestSubsystem: loading > > self test plugins in on-demand order > > 14116.main - [21/Jul/2016:10:58:29 EDT] > [20] [1] > SelfTestSubsystem: loading > > self test plugins in startup order > > 14116.main - [21/Jul/2016:10:58:29 EDT] > [20] [1] > SelfTestSubsystem: Self test > > plugins have been successfully loaded! > > 14116.main - [21/Jul/2016:10:58:30 EDT] > [20] [1] > SelfTestSubsystem: Running self > > test plugins specified to be executed at > startup: > > 14116.main - [21/Jul/2016:10:58:30 EDT] > [20] [1] > CAPresence: CA is present > > 14116.main - [21/Jul/2016:10:58:30 EDT] > [20] [1] > SystemCertsVerification: system > > certs verification failure > > 14116.main - [21/Jul/2016:10:58:30 EDT] > [20] [1] > SelfTestSubsystem: The CRITICAL > > self test plugin called > > selftests.container.instance.SystemCertsVerification > > running at startup FAILED! > > > > But intrestingly, [root at caer ~]# ipa > cert-show 1 > returns "*ipa: > ERROR: > > Certificate operation cannot be > completed: Unable to > > > From rcritten at redhat.com Tue Jul 26 21:24:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2016 17:24:35 -0400 Subject: [Freeipa-users] Deny bind for external LDAP if password is expired In-Reply-To: References: <506350cf-be92-88c9-32ae-1581ea866d47@redhat.com> <5783A97F.5040406@redhat.com> Message-ID: <5797D513.5000303@redhat.com> Prashant Bapat wrote: > In our FreeIPA deployment the clients use pam_nss_ldapd with the > "compat" schema. No ipa-client. > > I'm planning to apply the patched ipa_pwd_extop plugin to only 2 of the > replicas (out of 8) where the external app authenticates against IPA's > LDAP. These 2 replicas are more used like readonly. The Web UI where the > users login and change their profile is not on these replicas. > > With this LDAP binds are denied to users with expired passwords from the > external app. > > Will this setup have any issues, related to replication etc ? I don't think it will cause any replication issues. You may want to remove them from the SRV entries if you have one. Clients outside of your external apps could end up connecting to them through autodiscovery otherwise (and maybe that's ok, up to you). rob > > On 11 July 2016 at 19:43, Rob Crittenden > wrote: > > Prashant Bapat wrote: > > I cherrypicked the commit id > 3b7d5e7543a074d7d24556cadc6c95be9871cfc6 > and compiled the ipa-pwd-extop slapi plugin. > > Now the user is denied bind. But unable to reset the password. > > > Right, it's a tricky problem which is why it hasn't been resolved > yet. You have come full circle through the same steps we went through. > > rob > > > > On 8 July 2016 at 13:21, Martin Kosek > >> wrote: > > On 07/07/2016 05:19 PM, Prashant Bapat wrote: > > Anyone ?! > > > > On 6 July 2016 at 22:36, Prashant Bapat > > > > > > >>> wrote: > > > > Hi, > > > > We are using FreeIPA's LDAP as the base for user > authentication in a > > different application. So far I have created a > sysaccount which does the > > lookup etc for a user and things are working as > expected. I'm even able to > > use OTP from the external app. > > > > One problem I'm struggling to fix is the expired > passwords. Is there a way > > to deny bind to LDAP only from this application? > Obviously the user would > > need to go to IPA's web UI and reset his password there. > > > > I came across this > tickethttps://fedorahosted.org/freeipa/ticket/1539 > but > > looks like this is an old one. > > > > Thanks. > > --Prashant > > Hello Prashant, > > https://fedorahosted.org/freeipa/ticket/1539 seems to be the right > ticket, if > you want users with expired passwords to be denied, but it > was not > implemented > yet. Help welcome! > > As a workaround, I assume you could simply leverage > Kerberos for > authentication > - it does respect expired passwords. We have advise on how to > integrate that to > external web applications here: > > http://www.freeipa.org/page/Web_App_Authentication > > Martin > > > > > > From rcritten at redhat.com Tue Jul 26 21:25:50 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2016 17:25:50 -0400 Subject: [Freeipa-users] Replica install fails when using --setup-ca In-Reply-To: References: Message-ID: <5797D55E.2060505@redhat.com> Linov Suresh wrote: > I tried to create master replica using the option --setup-ca, it failed, > because of "Your system may be partly configured." > > Please note we use different ipa package for master and replica. > > master: > [root at caer ~]# rpm -q ipa-server > ipa-server-3.0.0-26.el6_4.2.x86_64 > > replica: > > [root at neit-lab01 ~]# rpm -q ipa-server > ipa-server-3.0.0-50.el6.1.x86_64 > > *Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to > /ca/ee/ca/profileSubmit to PKI to enable installation of replicas with > Dogtag 10 PKI (#1083878)"* > * > * > If yes, how do we fix it? Your help is appreciated. > > > [root at neit-lab01 ipa]#*ipa-replica-install --setup-dns --setup-ca > --no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg* > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'caer.teloip.net > ': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos Kpasswd: TCP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > checked manually: > Kerberos KDC: UDP (88): SKIPPED > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > admin at TELOIP.NET password: > > Execute check on remote master > Check connection from master to remote replica 'neit-lab01.teloip.net > ': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: Unsecure port (80): OK > HTTP Server: Secure port (443): OK > PKI-CA: Directory Service port (7389): OK > > Connection from master to replica is OK. > > Connection check OK > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server for the CA (pkids): Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > Done configuring directory server for the CA (pkids). > Configuring certificate server (pki-cad): Estimated time 3 minutes 30 > seconds > [1/17]: creating certificate server user > [2/17]: creating pki-ca instance > [3/17]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > neit-lab01.teloip.net -cs_port 9445 > -client_certdb_dir /tmp/tmp-t5u9YQ -client_certdb_pwd XXXXXXXX > -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name IPA -admin_user admin > -admin_email root at localhost -admin_password XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET > -ldap_host neit-lab01.teloip.net > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET > -ca_subsystem_cert_subject_name CN=CA > Subsystem,O=TELOIP.NET -ca_ocsp_cert_subject_name > CN=OCSP Subsystem,O=TELOIP.NET > -ca_server_cert_subject_name CN=neit-lab01.teloip.net > ,O=TELOIP.NET > -ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET > -ca_sign_cert_subject_name CN=Certificate > Authority,O=TELOIP.NET -external false -clone true > -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname > caer.teloip.net -sd_admin_port 443 > -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true > -clone_uri https://caer.teloip.net:443' returned non-zero exit status 255 > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Configuration of CA failed > > You need to look at the dogtag logs to see any reasonable errors. IPA doesn't get much back from the dogtag installer except a pass/fail (especially in 3.x). rob From ftweedal at redhat.com Wed Jul 27 02:52:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 27 Jul 2016 12:52:26 +1000 Subject: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder In-Reply-To: <2142044.BEM9oH7mMN@linux-ws1.messinet.com> References: <3397838.Y5170lQIpI@linux-ws1.messinet.com> <20160726034519.GM10771@dhcp-40-8.bne.redhat.com> <20160726044038.GN10771@dhcp-40-8.bne.redhat.com> <2142044.BEM9oH7mMN@linux-ws1.messinet.com> Message-ID: <20160727025226.GX10771@dhcp-40-8.bne.redhat.com> On Tue, Jul 26, 2016 at 05:16:34AM -0500, Anthony Joseph Messina wrote: > On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote: > > On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > > > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > > > responder" with the following command. I can confirm certificate with > > > > serial 0x14 is present in the system and is not expired/revoked, etc. > > > > I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" > > > > in the Dogtag output below. > > > > > > > > # /usr/bin/openssl ocsp \ > > > > > > > > -issuer /etc/ipa/ca.crt \ > > > > -nonce \ > > > > -CAfile /etc/ipa/ca.crt \ > > > > -url "http://ipa-ca.example.com/ca/ocsp" \ > > > > -serial 0x14 > > > > > > > > # rpm -q freeipa-server pki-server > > > > freeipa-server-4.3.1-1.fc24.x86_64 > > > > pki-server-10.3.3-1.fc24.noarch > > > > > > Hi Anthony, > > > > > > I wrote this code and I think I know what the issue is. Could you > > > please execute `pki-server db-upgrade -v` as root, then try the OCSP > > > request again? > > > > > > If it works, happy day for you, and for me too because it confirms > > > the issue which I must fix :) > > > > On further investigation, what I thought was the problem cannot be > > the problem. No need to follow my earlier suggestion. > > > > But I found (and fixed) something else. Would you be willing to try > > my COPR build[1]? It contains the linked patch[2] plus whatever is > > between your installed pki version and the Dogtag master branch at > > a307cf68e91327ddbef4b9d7e2bbd3991354831f. > > > > [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/ > > [2] > > https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-C > > A-OCSP-responder-when-LWCAs-are-not-in-use.patch > > > > Alternatively, you can apply the patch and build Dogtag yourself > > (if, e.g., you do not trust my COPR packages, which is fair enough > > ^_^) > > Your COPR repo with this patch fixes the OCSP responder issue. Thank you > Fraser. -A > Thank you for testing! Patch will now be reviewed by Dogtag team and hopefully we can get an official build out soon. Cheers, Fraser From jbaird at follett.com Wed Jul 27 12:38:06 2016 From: jbaird at follett.com (Baird, Josh) Date: Wed, 27 Jul 2016 12:38:06 +0000 Subject: [Freeipa-users] Problems with web console in IPA Message-ID: Hi, We are running the most recent IPA packages in RHEL7 and are facing a few issues when accessing the web console: First, since we utilize a Kerberos trust with AD, we had to create 'internal' IPA users that we use to login to the web console. I believe it is expected that AD users cannot login to the web console, but this may be coming in a future version? Secondly, when we browse to the web console from a Windows system that is joined to our AD domain, we first see a 'basic auth' popup that asks us for our user credentials. No username or password is accepted here. If we hit 'Escape' the normal IPA forms-based authentication appears. We are able to login via this form. What is causing the 'basic auth' popup? Lastly, we are not able to login *unless* we use Chrome's 'incognito mode.' If we browse to the web console in a normal browser, we first have to escape out of the 'basic-auth' window, but after we input our username/password into the form, another 'basic-auth' window pops up. If we escape out of this, the forms based login now displays 'Your session has expired. Please re-login.' Because of this, we *have* to use Chrome's incognito function. Can anyone offer some suggestions or advice for these problems? Thanks, Josh From malo at avast.com Wed Jul 27 12:41:39 2016 From: malo at avast.com (malo) Date: Wed, 27 Jul 2016 14:41:39 +0200 Subject: [Freeipa-users] AD Sync and groups In-Reply-To: <20160726083046.h6hqgyidmrjylipy@redhat.com> References: <57971AEA.3020302@avast.com> <20160726083046.h6hqgyidmrjylipy@redhat.com> Message-ID: Hi, Thank your for your reply, it really is much clearer to me now. I think I get why SSSD offline authentication would help to solve "AD unreachable" issue. If I understood well, the SSSD on the IPA master would cache credentials, allowing the user to log in (as in the kinit meaning) even if the AD is unreachable ? At last, I did not quite understand how the KDC proxy would help to prevent network related issues. To me it is just a way to allow users with restrictive firewall rules to authenticate and requests ticket, if I understood well (from this doc https://www.freeipa.org/page/V4/KDC_Proxy) Thanks again for your help, Nathan On 07/26/2016 10:30 AM, Alexander Bokovoy wrote: > On Tue, 26 Jul 2016, malo wrote: >> Hello, >> >> I am currently setting up an architecture involving FreeIPA to >> provide SSO for SSH to the servers. >> I have several servers (~1500) in a few datacenters all over the >> world (North America, South America, Europe, Asia). >> The idea here was to have 4 masters/replicas per datacenter, with one >> master/replica involved in a winsync replication process with our AD. >> Thus, we would not suffer network outages, slow downs or timeouts >> because each FreeIPA server would have a closer database of users >> instead of querying a long distance AD. >> >> I've managed to setup successfully the winsync replication (after >> having trouble with replication rights). I then turned on group >> replication : >> >> ldapmodify -x -D "cn=directory manager" -w PASS >> >> dn: >> cn=meToad.XXX.example.com,cn=replica,cn=dc\3Dipa\2Cdc\3Dff\2Cdc\3Dxxx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping >> tree,cn=config >> changetype: modify >> replace: nsds7NewWinGroupSyncEnabled >> nsds7NewWinGroupSyncEnabled: true >> >> >> I re-initialized the replication but I have no groups. >> I did a little digging and came on this : >> https://bugzilla.redhat.com/show_bug.cgi?id=1002414 >> Very unfortunate for me but a few things bother me. >> >> It says "reenable" in the RFE and I also found this documentation : >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Using_Windows_Sync-Synchronizing_Groups.html > > There is a difference between 389-ds winsync and FreeIPA winsync. The > latter is a simplified version that doesn't see development anymore and > is not supporting group sync because groups on IPA side are sufficiently > different from AD groups while generic 389-ds winsync plugin is not > tuned to IPA DIT. > >> It clearly specifies how to sync groups, which I enabled, but >> nothings happen for me. >> So, my questions would be : >> - Is winsync group sync still enabled ? >> - If not, why and when has it been disabled ? >> - Is there anyway I could reenable it, by digging into the code ? >> >> Group sync seems a really MUST HAVE as a feature for the winsync, >> since flat hierarchy is not really useful, imho. > IPA uses flat hierarchy and has no support for non-flat DIT. > >> I can't consider an AD Trust architecture, It would be too dangerous >> since the network connectivity of the AD is not safe enough, I could >> not risk to block SSH access on my servers because of network lag. >> >> Has anyone been in a similar situation ? Do you have implemented AD >> trust or winsync replication in such a large scale ? > I cannot tell about actual deployments but there are plenty deployments > with trust to AD in multiple data centers. > > If you need, with FreeIPA 4.0+ you can actually proxy Kerberos > authentication via IPA servers to AD DCs and also can do offline > authentication in SSSD. From abokovoy at redhat.com Wed Jul 27 13:02:29 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jul 2016 16:02:29 +0300 Subject: [Freeipa-users] AD Sync and groups In-Reply-To: References: <57971AEA.3020302@avast.com> <20160726083046.h6hqgyidmrjylipy@redhat.com> Message-ID: <20160727130229.egphlpkiqgdkuqm7@redhat.com> On Wed, 27 Jul 2016, malo wrote: >Hi, > >Thank your for your reply, it really is much clearer to me now. > >I think I get why SSSD offline authentication would help to solve "AD >unreachable" issue. > >If I understood well, the SSSD on the IPA master would cache >credentials, allowing the user to log in (as in the kinit meaning) >even if the AD is unreachable ? On each IPA client, including IPA master. You are always login to the specific host and SSSD always tries to reach the server that gives authentication response (AD DCs, in the case of AD users). If it cannot reach that server, offline authentication is considered. >At last, I did not quite understand how the KDC proxy would help to >prevent network related issues. > >To me it is just a way to allow users with restrictive firewall rules >to authenticate and requests ticket, if I understood well (from this >doc https://www.freeipa.org/page/V4/KDC_Proxy) Right. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Jul 27 13:08:10 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Jul 2016 16:08:10 +0300 Subject: [Freeipa-users] Problems with web console in IPA In-Reply-To: References: Message-ID: <20160727130810.j6nmczyfuvhgohmv@redhat.com> On Wed, 27 Jul 2016, Baird, Josh wrote: >Hi, > >We are running the most recent IPA packages in RHEL7 and are facing a >few issues when accessing the web console: > >First, since we utilize a Kerberos trust with AD, we had to create >'internal' IPA users that we use to login to the web console. I >believe it is expected that AD users cannot login to the web console, >but this may be coming in a future version? Correct. Not supported right now. > >Secondly, when we browse to the web console from a Windows system that >is joined to our AD domain, we first see a 'basic auth' popup that asks >us for our user credentials. No username or password is accepted here. >If we hit 'Escape' the normal IPA forms-based authentication appears. >We are able to login via this form. What is causing the 'basic auth' >popup? In short -- bugs in your browser, specifically, in Chrome. Chrome is pretty bad in its handling of Negotiate authentication response, it does assume too much and don't use proper negotiation flow. mod_auth_gssapi has some way to handle it other than completely disabling Negotiate header but it is still not a fully solved problem. https://github.com/modauthgssapi/mod_auth_gssapi/pull/65 has more details. >Lastly, we are not able to login *unless* we use Chrome's 'incognito >mode.' If we browse to the web console in a normal browser, we first >have to escape out of the 'basic-auth' window, but after we input our >username/password into the form, another 'basic-auth' window pops up. >If we escape out of this, the forms based login now displays 'Your >session has expired. Please re-login.' Because of this, we *have* to >use Chrome's incognito function. That's Chrome bug when Negotiate fails but still offered by the server. -- / Alexander Bokovoy From abuharis709 at gmail.com Wed Jul 27 09:35:24 2016 From: abuharis709 at gmail.com (Abu Haris) Date: Wed, 27 Jul 2016 15:05:24 +0530 Subject: [Freeipa-users] AD cross-realm Message-ID: sir/madame, I am in great trouble in choosing FreeIPA for identity management. I want to know more about AD cross-realm trust and how it works. -- A.H -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Jul 27 14:34:07 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 27 Jul 2016 16:34:07 +0200 Subject: [Freeipa-users] AD cross-realm In-Reply-To: References: Message-ID: On 07/27/2016 11:35 AM, Abu Haris wrote: > sir/madame, > > I am in great trouble in choosing FreeIPA for identity management. I > want to know more about AD cross-realm trust and how it works. > > -- > A.H > > Hi Abu, there is quite an extensive upstream documentation of IPA-AD trust workings and setup. You can start by looking at http://www.freeipa.org/page/Trusts -- Martin^3 Babinsky From ROGER.KIMERY at deluxe.com Wed Jul 27 17:02:59 2016 From: ROGER.KIMERY at deluxe.com (Kimery, Roger) Date: Wed, 27 Jul 2016 17:02:59 +0000 Subject: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with Message-ID: Hello, We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 (Core) Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com Below is output from ipa trustdomain-find Realm name: ROOTTEST1.COM Domain name: deluxetest1.com Domain NetBIOS name: DELUXETEST1 Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843 Domain enabled: True Domain name: roottest1.com Domain NetBIOS name: ROOTTEST1 Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745 Domain enabled: True ---------------------------- Number of entries returned 2 ---------------------------- Users from roottest1.com domain work fine but users from deluxetest1.com domain can not authenticate. As root you can su to users from both domains and run id with the expected output. Below is output from running id from a user in each domain: id t443167l at roottest1.com uid=908601177(t443167l at roottest1.com) gid=908601177(t443167l at roottest1.com) groups=908601177(t443167l at roottest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),908600513(domain users at roottest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global) id t443167 at deluxetest1.com uid=959201836(t443167 at deluxetest1.com) gid=959201836(t443167 at deluxetest1.com) groups=959201836(t443167 at deluxetest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),959202271(hbac-on-global at deluxetest1.com),959202270(lsar-on-global at deluxetest1.com),959200512(domain admins at deluxetest1.com),959200513(domain users at deluxetest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global),1114800010(lsar-on-global),1114800009(hbac-on-global) I have tried to make the groups in AD universal groups and have the groups from deluxetest1 as members to the related groups in roottest1 with no change in the results. These groups can be seen in the output above. Is there a way to get users from deluxetest1.com domain to function with the same results as users from roottest1.com? Please let me know what other information you need. Thanks! Roger Kimery Tech. Solutions Integration Engineer Deluxe Rewards 44747 Helm Ct Plymouth, Mi. 48170 877-706-4321 ext 314912 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Wed Jul 27 17:29:39 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Wed, 27 Jul 2016 22:59:39 +0530 Subject: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error Message-ID: Hi, I am running ipa server 4.2 and set it up without using "--setup-dns=no". On few clients the installation fails with the below error message. I verified that the ipa master dns is resolvable. Not sure what could be wrong here.. Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Could not resolve host: ipa-master-in.xyz.com; Unknown error Use ipa-getkeytab to obtain a host principal for this server. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Failed to obtain host TGT: (-1765328203, 'Key table entry not found') Installation failed. Force set so not rolling back changes. I tried removeing /etc/ipa/ca.crt and delete any older certificates "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" However, no luck yet.. any suggestions on how can I debug this.. Thanks Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From william.muriithi at gmail.com Thu Jul 28 03:24:05 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Wed, 27 Jul 2016 23:24:05 -0400 Subject: [Freeipa-users] PKI signing certificate question Message-ID: Hello I want to use an external certificate when setting up a new FreeIPA next week and plan to send the CSR tomorrow. I would like to source a certificate for example.com and use it on FreeIPA on eng.example.com. I can't specifically set the FreeIPA on example.com because we have active directory on corp.example.com Is there a way for using FreeIPA with such a setup? I am hoping that if I can setup FreeIPA using example.com, I can be able to generate certificates for both Windows and Linux plus other like vpn.example.com that don't sit well on either AD or FreeIPA domain. Whats the best way to approach this? If not possible, would setting FreeIPA as a sub domain for active directory help? Regards, William From anthonyclarka2 at gmail.com Thu Jul 28 04:35:31 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Thu, 28 Jul 2016 00:35:31 -0400 Subject: [Freeipa-users] PKI signing certificate question In-Reply-To: References: Message-ID: I personally haven't done this, but from https://www.freeipa.org/page/PKI "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." and from https://www.redhat.com/archives/freeipa-users/2014-January/msg00057.html "First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA." >From that previous paragraph, it looks like the --external-ca option doesn't actually install anything, just creates the correct CSR for the domain you intend to create. If you can create a temporary CentOS virtual machine you could run the "ipa-server-install --external-ca" command and see what happens :) Hope this helps, Anthony Clark On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi < william.muriithi at gmail.com> wrote: > Hello > > I want to use an external certificate when setting up a new FreeIPA > next week and plan to send the CSR tomorrow. > > I would like to source a certificate for example.com and use it on > FreeIPA on eng.example.com. I can't specifically set the FreeIPA on > example.com because we have active directory on corp.example.com > > Is there a way for using FreeIPA with such a setup? I am hoping that > if I can setup FreeIPA using example.com, I can be able to generate > certificates for both Windows and Linux plus other like > vpn.example.com that don't sit well on either AD or FreeIPA domain. > > Whats the best way to approach this? If not possible, would setting > FreeIPA as a sub domain for active directory help? > > Regards, > > William > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Jul 28 07:49:42 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 Jul 2016 09:49:42 +0200 Subject: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with In-Reply-To: References: Message-ID: <20160728074942.GG17320@hendrix> On Wed, Jul 27, 2016 at 05:02:59PM +0000, Kimery, Roger wrote: > Hello, > > > We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 (Core) > > > Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com > > > Below is output from ipa trustdomain-find > > Realm name: ROOTTEST1.COM > Domain name: deluxetest1.com > Domain NetBIOS name: DELUXETEST1 > Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843 > Domain enabled: True > > Domain name: roottest1.com > Domain NetBIOS name: ROOTTEST1 > Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745 > Domain enabled: True > ---------------------------- > Number of entries returned 2 > ---------------------------- > > Users from roottest1.com domain work fine but users from deluxetest1.com domain can not authenticate. As root you can su to users from both domains and run id with the expected output. Below is output from running id from a user in each domain: > > id t443167l at roottest1.com > uid=908601177(t443167l at roottest1.com) gid=908601177(t443167l at roottest1.com) groups=908601177(t443167l at roottest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),908600513(domain users at roottest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global) > > id t443167 at deluxetest1.com > uid=959201836(t443167 at deluxetest1.com) gid=959201836(t443167 at deluxetest1.com) groups=959201836(t443167 at deluxetest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),959202271(hbac-on-global at deluxetest1.com),959202270(lsar-on-global at deluxetest1.com),959200512(domain admins at deluxetest1.com),959200513(domain users at deluxetest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global),1114800010(lsar-on-global),1114800009(hbac-on-global) > > I have tried to make the groups in AD universal groups and have the groups from deluxetest1 as members to the related groups in roottest1 with no change in the results. These groups can be seen in the output above. > > Is there a way to get users from deluxetest1.com domain to function with the same results as users from roottest1.com? > > Please let me know what other information you need. We need the SSSD logs: https://fedorahosted.org/sssd/wiki/Troubleshooting From pspacek at redhat.com Thu Jul 28 08:07:24 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 28 Jul 2016 10:07:24 +0200 Subject: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error In-Reply-To: References: Message-ID: On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > Hi, > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > On few clients the installation fails with the below error message. > > > I verified that the ipa master dns is resolvable. Not sure what could be > wrong here.. > > > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: Could not resolve host: ipa-master-in.xyz.com; Unknown error > > Use ipa-getkeytab to obtain a host principal for this server. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Failed to obtain host TGT: (-1765328203, 'Key table entry not found') > Installation failed. Force set so not rolling back changes. > > > I tried removeing /etc/ipa/ca.crt and delete any older certificates > "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" > > However, no luck yet.. > > any suggestions on how can I debug this.. I would start with command: $ dig ipa-master-in.xyz.com It should print IPv4 address of the server ipa-master-in.xyz.com . If it does not print it there is a problem with DNS. In that case usual DNS debugging guides apply. I hope it helps. -- Petr^2 Spacek From rakesh.rajasekharan at gmail.com Thu Jul 28 15:31:16 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Thu, 28 Jul 2016 21:01:16 +0530 Subject: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error In-Reply-To: References: Message-ID: thanks for the inputs.. the issue was with my network, I was able to resolve it adding in the NETWORKING_IPV6=no in /etc/sysconfig/network possibly it was using IPv6 resolution and that was failing On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek wrote: > On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > > > On few clients the installation fails with the below error message. > > > > > > I verified that the ipa master dns is resolvable. Not sure what could be > > wrong here.. > > > > > > Joining realm failed: libcurl failed to execute the HTTP POST > transaction, > > explaining: Could not resolve host: ipa-master-in.xyz.com; Unknown > error > > > > Use ipa-getkeytab to obtain a host principal for this server. > > Please make sure the following ports are opened in the firewall settings: > > TCP: 80, 88, 389 > > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > > Also note that following ports are necessary for ipa-client working > > properly after enrollment: > > TCP: 464 > > UDP: 464, 123 (if NTP enabled) > > Failed to obtain host TGT: (-1765328203, 'Key table entry not found') > > Installation failed. Force set so not rolling back changes. > > > > > > I tried removeing /etc/ipa/ca.crt and delete any older certificates > > "certutil -D -n 'IPA CA' -d /etc/pki/nssdb" > > > > However, no luck yet.. > > > > any suggestions on how can I debug this.. > > I would start with command: > $ dig ipa-master-in.xyz.com > > It should print IPv4 address of the server ipa-master-in.xyz.com . If it > does > not print it there is a problem with DNS. In that case usual DNS debugging > guides apply. > > I hope it helps. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ROGER.KIMERY at deluxe.com Thu Jul 28 17:57:37 2016 From: ROGER.KIMERY at deluxe.com (Kimery, Roger) Date: Thu, 28 Jul 2016 17:57:37 +0000 Subject: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with / logs In-Reply-To: References: Message-ID: Here is requested sssd_nss.log [root at ala00103 sssd]# view sssd_nss.log (Thu Jul 28 17:36:55 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:36:55 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:36:55 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:36:55 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:36:55 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:36:55 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:36:55 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:36:55 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:36:55 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:36:55 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:36:55 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:01 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:01 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:01 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:01 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:01 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:37:01 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:37:01 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:37:01 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:37:01 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:37:02 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [959201836]. (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959201836 at lnx.dlxtest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959201836 at lnx.dlxtest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=959201836] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959201836 at lnx.dlxtest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959201836] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959201836 at roottest1.com] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:09 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959201836 at roottest1.com] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=959201836] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959201836 at roottest1.com] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959201836] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959201836 at lnx.dlxtest1.com] (Thu Jul 28 17:37:09 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:09 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:09 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:11 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:11 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:11 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:11 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:11 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:11 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:11 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959201836 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959201836 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959201836 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][idnumber=959201836] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959201836 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959201836] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959201836 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:12 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959201836 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:3:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4099][1][name=t443167] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:3:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:12 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:12 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:3:t443167 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [959202271]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202271 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959202271 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=959202271] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959202271 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959202271] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202271 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959202271 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=959202271] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959202271 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959202271] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959202271 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202271 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202271 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959202271 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][idnumber=959202271] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959202271 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959202271] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959202271 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:12 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959202271 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [959202270]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202270 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959202270 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=959202270] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959202270 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959202270] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202270 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959202270 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=959202270] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959202270 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959202270] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959202270 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202270 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959202270 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959202270 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][idnumber=959202270] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959202270 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959202270] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959202270 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:12 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959202270 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [959200512]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200512 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959200512 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=959200512] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959200512 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959200512] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200512 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959200512 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=959200512] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959200512 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959200512] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959200512 at lnx.dlxtest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200512 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200512 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959200512 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][idnumber=959200512] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959200512 at deluxetest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959200512] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959200512 at roottest1.com] (Thu Jul 28 17:37:12 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:12 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:13 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959200512 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [959200513]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200513 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959200513 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=959200513] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959200513 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959200513] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200513 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959200513 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=959200513] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959200513 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959200513] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959200513 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200513 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [959200513 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:959200513 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][idnumber=959200513] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:959200513 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [959200513] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959200513 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:13 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:959200513 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [908601174]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601174 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908601174 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=908601174] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908601174 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601174] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601174 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908601174 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=908601174] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908601174 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601174] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908601174 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601174 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [908601174 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601174] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908601174 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [908601175]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601175 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908601175 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=908601175] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908601175 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601175] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601175 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908601175 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=908601175] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908601175 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601175] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908601175 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601175 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [908601175 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601175] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908601175 at roottest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1114800007]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800007 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:1114800007 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=1114800007] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:1114800007 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800007] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800007 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [1114800007 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800007] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:1114800007 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1114800006]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800006 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:1114800006 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=1114800006] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:1114800006 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800006] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:13 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:13 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800006 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [1114800006 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800006] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:1114800006 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1114800010]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800010 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:1114800010 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=1114800010] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:1114800010 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800010] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800010 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [1114800010 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800010] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:1114800010 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1114800009]. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800009 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:1114800009 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=1114800009] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:1114800009 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800009] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1114800009 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [1114800009 at lnx.dlxtest1.com] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1114800009] (Thu Jul 28 17:37:13 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:1114800009 at lnx.dlxtest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:14 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:14 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:14 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:14 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:14 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:32 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:32 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:32 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:32 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:50 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:50 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:50 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:50 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:50 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:50 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:50 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:50 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:51 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:51 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:51 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:51 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [hbac-on-root-global at roottest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'hbac-on-root-global at roottest1.com' matched expression for domain 'roottest1.com', user is hbac-on-root-global (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [hbac-on-root-global] from [roottest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [hbac-on-root-global at roottest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [hbac-on-root-global at roottest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [lsar-on-root-global at roottest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'lsar-on-root-global at roottest1.com' matched expression for domain 'roottest1.com', user is lsar-on-root-global (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [lsar-on-root-global] from [roottest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [lsar-on-root-global at roottest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [lsar-on-root-global at roottest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [domain admins at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'domain admins at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is domain admins (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [domain admins] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][name=domain admins] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:54 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [domain admins at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'domain admins at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is domain admins (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [domain admins] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][name=domain admins] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:54 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:domain admins at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [domain users at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'domain users at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is domain users (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [domain users] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][name=domain users] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:54 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [domain users at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'domain users at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is domain users (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [domain users] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4098][1][name=domain users] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:54 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:domain users at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [lsar-on-global at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'lsar-on-global at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is lsar-on-global (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [lsar-on-global] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [lsar-on-global at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [lsar-on-global at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [lsar-on-global at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'lsar-on-global at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is lsar-on-global (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [lsar-on-global] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [lsar-on-global at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [lsar-on-global at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [hbac-on-global at deluxetest1.com]. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'hbac-on-global at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is hbac-on-global (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [hbac-on-global] from [deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [hbac-on-global at deluxetest1.com] (Thu Jul 28 17:37:54 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:54 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:37:54 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [hbac-on-global at deluxetest1.com] (Thu Jul 28 17:37:55 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [hbac-on-global at deluxetest1.com]. (Thu Jul 28 17:37:55 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'hbac-on-global at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is hbac-on-global (Thu Jul 28 17:37:55 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [hbac-on-global] from [deluxetest1.com] (Thu Jul 28 17:37:55 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [hbac-on-global at deluxetest1.com] (Thu Jul 28 17:37:55 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:37:55 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:55 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:37:55 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [hbac-on-global at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:57 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:37:57 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:37:57 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:37:57 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158262, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:37:57 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4097][1][name=t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Identical request in progress: [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:3:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4099][1][name=t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:3:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): Initgroups for [t443167l at roottest1.com] completed (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [908601177]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601177 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908601177 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=908601177] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908601177 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601177] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908601177 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [(null)] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908601177 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=908601177] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908601177 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [908601177 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908601177] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908601177 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [908600513]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908600513 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908600513 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4098][1][idnumber=908600513] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908600513 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908600513] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [908600513 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [(null)] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:2:908600513 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [roottest1.com][4098][1][idnumber=908600513] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:2:908600513 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [908600513 at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [908600513] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908600513 at lnx.dlxtest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Identical request in progress: [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [t443167l] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Identical request in progress: [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:38:10 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:10 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908601177 at roottest1.com] (Thu Jul 28 17:38:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:2:908600513 at roottest1.com] (Thu Jul 28 17:38:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:t443167l at roottest1.com] (Thu Jul 28 17:38:11 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:3:t443167l at roottest1.com] (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:18 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:18 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:18 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:18 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:18 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:18 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:38:18 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:23 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [domain users at roottest1.com]. (Thu Jul 28 17:38:23 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'domain users at roottest1.com' matched expression for domain 'roottest1.com', user is domain users (Thu Jul 28 17:38:23 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [domain users] from [roottest1.com] (Thu Jul 28 17:38:23 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [domain users at roottest1.com] (Thu Jul 28 17:38:23 2016) [sssd[nss]] [sysdb_search_by_name] (0x0400): No such entry (Thu Jul 28 17:38:23 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:23 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:38:23 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [domain users at roottest1.com] (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:27 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:27 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:27 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167l at roottest1.com]. (Thu Jul 28 17:38:27 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167l at roottest1.com' matched expression for domain 'roottest1.com', user is t443167l (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167l] from [roottest1.com] (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167l at roottest1.com] (Thu Jul 28 17:38:27 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:27 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Thu Jul 28 17:38:27 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Returning info for user/group [t443167l at roottest1.com] (Thu Jul 28 17:38:34 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:38:34 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:38:34 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:38:34 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:38:34 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:38:34 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:38:34 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:38:34 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:38:34 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:38:34 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:38:53 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:38:53 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [sshd]. (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'sshd' matched without domain, user is sshd (Thu Jul 28 17:38:53 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [sshd] from [] (Thu Jul 28 17:38:53 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [sshd at lnx.dlxtest1.com] (Thu Jul 28 17:38:53 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:sshd at lnx.dlxtest1.com] (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lnx.dlxtest1.com][4097][1][name=sshd] (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:sshd at lnx.dlxtest1.com] (Thu Jul 28 17:38:53 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Thu Jul 28 17:38:53 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7fa8a106b0d0:1:sshd at lnx.dlxtest1.com] (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:39:07 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:07 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:07 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:13 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:39:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:39:13 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:13 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [root]. (Thu Jul 28 17:39:13 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:13 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [lnx.dlxtest1.com]! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:19 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Uid [0] does not exist! (negative cache) (Thu Jul 28 17:39:19 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Thu Jul 28 17:39:40 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:39:40 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:39:40 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:39:40 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:39:40 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:39:40 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:39:40 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:39:40 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:39:40 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:40:53 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:40:53 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:40:53 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:40:53 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:40:53 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:40:53 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:40:53 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:40:53 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:40:53 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] (Thu Jul 28 17:42:14 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jul 28 17:42:14 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jul 28 17:42:14 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jul 28 17:42:14 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [0]. (Thu Jul 28 17:42:14 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [lnx.dlxtest1.com]! (id out of range) (Thu Jul 28 17:42:14 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [roottest1.com]! (id out of range) (Thu Jul 28 17:42:14 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Uid [0] does not exist in domain [deluxetest1.com]! (id out of range) (Thu Jul 28 17:42:14 2016) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Thu Jul 28 17:42:14 2016) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [0] Thanks! Roger Wednesday, July 27, 2016 1:02:59 PM To: freeipa-users at redhat.com Subject: Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with Hello, We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 (Core) Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com Below is output from ipa trustdomain-find Realm name: ROOTTEST1.COM Domain name: deluxetest1.com Domain NetBIOS name: DELUXETEST1 Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843 Domain enabled: True Domain name: roottest1.com Domain NetBIOS name: ROOTTEST1 Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745 Domain enabled: True ---------------------------- Number of entries returned 2 ---------------------------- Users from roottest1.com domain work fine but users from deluxetest1.com domain can not authenticate. As root you can su to users from both domains and run id with the expected output. Below is output from running id from a user in each domain: id t443167l at roottest1.com uid=908601177(t443167l at roottest1.com) gid=908601177(t443167l at roottest1.com) groups=908601177(t443167l at roottest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),908600513(domain users at roottest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global) id t443167 at deluxetest1.com uid=959201836(t443167 at deluxetest1.com) gid=959201836(t443167 at deluxetest1.com) groups=959201836(t443167 at deluxetest1.com),908601174(hbac-on-root-global at roottest1.com),908601175(lsar-on-root-global at roottest1.com),959202271(hbac-on-global at deluxetest1.com),959202270(lsar-on-global at deluxetest1.com),959200512(domain admins at deluxetest1.com),959200513(domain users at deluxetest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global),1114800010(lsar-on-global),1114800009(hbac-on-global) I have tried to make the groups in AD universal groups and have the groups from deluxetest1 as members to the related groups in roottest1 with no change in the results. These groups can be seen in the output above. Is there a way to get users from deluxetest1.com domain to function with the same results as users from roottest1.com? Please let me know what other information you need. Thanks! Roger Kimery Tech. Solutions Integration Engineer Deluxe Rewards 44747 Helm Ct Plymouth, Mi. 48170 877-706-4321 ext 314912 -------------- next part -------------- An HTML attachment was scrubbed... URL: From adam.m.lewis at navy.mil Thu Jul 28 19:02:25 2016 From: adam.m.lewis at navy.mil (Lewis, Adam M CIV NSWCDD, H11) Date: Thu, 28 Jul 2016 19:02:25 +0000 Subject: [Freeipa-users] Certificate Issues Message-ID: We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0) however the CA Subsystem and IPA RA certs will not renew. I've backdated the server to make sure the system was within the renewal window, but that has not help. When I run getcert list it reports: Ca-error: Sever at "https://:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error for both the IPA RA and CA Subsystem certs The debug log shows: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure ReviewReqServlet: Invalid Credential. We are kind of in deep doo-doo until this gets resolved. We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5 Any thoughts? Thanks! Adam M. Lewis -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6495 bytes Desc: not available URL: From rcritten at redhat.com Thu Jul 28 19:36:12 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2016 15:36:12 -0400 Subject: [Freeipa-users] Certificate Issues In-Reply-To: References: Message-ID: <579A5EAC.5000102@redhat.com> Lewis, Adam M CIV NSWCDD, H11 wrote: > We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA RA certs expired as of 7/23/16. I found and followed the instructions to the letter (http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0) however the CA Subsystem and IPA RA certs will not renew. I've backdated the server to make sure the system was within the renewal window, but that has not help. Those are the wrong instructions. You want this instead, https://access.redhat.com/solutions/643753 A bunch of it is for 2.2 but it isn't exactly noted which parts. A general rule is that you don't/shouldn't need to directly tweak the dogtag configuration or do any of the start-tracking work (though you may want to verify that what/if anything you changed from that wrong doc). > When I run getcert list it reports: > Ca-error: Sever at "https://:9443/ca/agent/ca/profileProcess" replied: 1: Authentication Error > for both the IPA RA and CA Subsystem certs > > The debug log shows: > SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=MISS.ION] authentication failure > ReviewReqServlet: Invalid Credential. The place to start is to get the serial # of the ipaCert: # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial Now get the user from the dogtag LDAP server: # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca description The format is 2;;; See if the serial # matches ipaCert. I'm guessing it won't. Follow the instructions on the page I cited to update the entry with the current certificate and serial # values. That should get you going. rob > > We are kind of in deep doo-doo until this gets resolved. > > We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5 > > Any thoughts? > > Thanks! > > Adam M. Lewis > > > From jhrozek at redhat.com Thu Jul 28 21:10:29 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 Jul 2016 23:10:29 +0200 Subject: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with / logs In-Reply-To: References: Message-ID: <20160728211029.GA11494@hendrix> On Thu, Jul 28, 2016 at 05:57:37PM +0000, Kimery, Roger wrote: > Here is requested sssd_nss.log > > > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [277] with input [t443167 at deluxetest1.com]. > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 't443167 at deluxetest1.com' matched expression for domain 'deluxetest1.com', user is t443167 > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [t443167] from [deluxetest1.com] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): Requesting info for [t443167 at deluxetest1.com] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [deluxetest1.com][4097][1][name=t443167] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fa8a106b0d0:1:t443167 at deluxetest1.com] > (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider > Error: 3, 0, Account info lookup failed > Will try to return what we have in cache You need to look into the domain log to see why the lookup failed. From jhrozek at redhat.com Fri Jul 29 11:40:28 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Jul 2016 13:40:28 +0200 Subject: [Freeipa-users] slow login with freeipa 4.2.0 In-Reply-To: References: <20160725174204.GM12570@hendrix> Message-ID: <20160729114028.GO11494@hendrix> On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote: > > Any change that it's running on a VM? If so, check your entropy: > > > cat /proc/sys/kernel/random/entropy_avail > > > If it's low (like < 1k), install haveged. > > this indeed is vm , am running it on azure . However, I have a similar set > up running on aws which works completely fine Sorry about the delay in replying.. > > The entropy was low, around 180, I installed haveged and now its above 3k > cat /proc/sys/kernel/random/entropy_avail > 3178 > > The timing though is still the same around 19s I have some comments inline about the config and logs. > > @jakub, i am reattaching the logs. > > The dns resoltion seems fast when I check using dig > > below is my sssd.conf > [domain/xyz.com] > selinux_provider=none > krb5_auth_timeout = 20 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = xyz.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = 10.65.16.4 The ipa_hostname value is wrong. It's meant for systems where hostname reports a different name that what is the name the host is registered as in IPA. Including an IP address there doesn't make much sense. > chpass_provider = ipa > ipa_server = ipa-master-in.xyz.com > dns_discovery_domain = xyz.com > ignore_group_members=True > ldap_purge_cache_timeout = 0 > debug_level=8 > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = xyz.com > [nss] > homedir_substring = /home > > [pam] > pam_id_timeout = 3 > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > And here is the login times and logs > > [root at ipa-client-1 :~] date;ssh testuser at localhost > Tue Jul 26 12:06:37 UTC 2016 > testuser at localhost's password: > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1 > [testuser at ipa-client-1 :~] date > Tue Jul 26 12:06:55 UTC 2016 > > > sssd_domain logs > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=testuser] > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] > (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] --> A request for user's groups arrived. > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.65.16.4 > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with > [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [objectClass] [...] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) ---> Here the request for user's groups finished. It took about a second in total. > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler > on path /org/freedesktop/sssd/dataprovider > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: SSS_PAM_PREAUTH Preauthentication checks for available login methods... > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success (Success)] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sending result [0][xyz.com] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sent result [0][xyz.com] ---> Here the preauth request finished, within a second. > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler > on path /org/freedesktop/sssd/dataprovider > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE ---> Authentication request is recieved. > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_done] > (0x1000): krb5_auth_queue request [0x7f88d1142ab0] done. > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success (Success)] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sending result [0][xyz.com] > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sent result [0][xyz.com] Here the authentication finished successfully, again within a second.. > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path > /org/freedesktop/sssd/service > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler > on path /org/freedesktop/sssd/dataprovider > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_ACCT_MGMT ---> Access control request is received > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hbac_evaluate_rules] > (0x0080): Access granted by HBAC rule [allow_all] > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success (Success)] --> User is granted access, we're within two seconds from the first request, still. > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0400): SELinux provider doesn't exist, not sending the request to it. > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sending result [0][xyz.com] > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sent result [0][xyz.com] --> The selinux provider is disabled and quits immediately. > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_SETCRED > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Sending result [0][xyz.com] --> The setred PAM target does nothing, just returns success. ...And there nothing happens for 10 seconds, at least not in this log. Is there any activity in the other SSSD logs in the meantime? > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path > /org/freedesktop/sssd/service > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.getAccountInfo on path > /org/freedesktop/sssd/dataprovider > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=testuser] > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] > (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] ...Until a request for user groups arrives here.. > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) ---> Is processed here. > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler > on path /org/freedesktop/sssd/dataprovider > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_OPEN_SESSION And the session for the user is opened here. So my conclusion from the logs is that the delay is not within SSSD. The next things I would check are: - are there any other NSS modules in nsswitch.conf except sss and files? - is there any other PAM module in the PAM stack except pam_sss.so and pam_unix and those that you would expect after IPA client installation? - is there anything in syslog/journal? - if you increase the SSHD debug level, is there anything of interest in the SSHD log? - if you strace sshd (make sure to strace the child processes also and include the -tt flag to see the timestamps with a high resultion), do you see any delay there? From VKondratyev at bellintegrator.ru Fri Jul 29 13:13:31 2016 From: VKondratyev at bellintegrator.ru (Vladimir Kondratyev) Date: Fri, 29 Jul 2016 13:13:31 +0000 Subject: [Freeipa-users] sshd login in kdcproxy environment Message-ID: <0edce817-1524-54b4-52c6-28746129f9f9@bellintegrator.ru> Hi, all! I run FreeIPA 4.2 bundled with RHEL7.2 with all latest errata installed I tried to use kdcproxy in DMZ environment so I enabled KDCproxy on server and explicitly set AD server records in server`s [realm] section of krb5.conf. After that I disabled KDC DNS autodiscovery on client and pointed my AD domain entries of client`s krb5.conf to IPA server KDCproxy URL. That gave me partial success: I can obtain tgt ticket on client with kinit command, but I can not login in to that user account in that client via ssh with following error in /var/log/messages: [sssd[krb5_child[XXXX]]]: Cannot contact any KDC for realm 'MY_AD_REALM' Any clues to get successful sshd login in kdcproxy environment? Thanks! From jpazdziora at redhat.com Fri Jul 29 13:35:38 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 29 Jul 2016 15:35:38 +0200 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: References: <20160722082829.GC22052@10.4.128.1> <20160722084148.GV20343@hendrix> Message-ID: <20160729133538.GZ1586@redhat.com> On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > My specific requirement for having "enumerate=TRUE" was , we have a build > server with the jenkins set up. > And for authentication jenkins tries to get the localusers on the system. > > I should be able to get through that by configuring Jenkins to use LDAP > instead of the local users. Alternatively you could use Apache HTTP frontend for authentication per https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security and use for example mod_authnz_pam configured with PAM service that pam_sss.so / SSSD will handle. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From andreas.ladanyi at kit.edu Fri Jul 29 13:35:37 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Fri, 29 Jul 2016 15:35:37 +0200 Subject: [Freeipa-users] Moving from ca to ca-less without pki Message-ID: <579B5BA9.8060505@kit.edu> Hi, is it simply possible to move from ca to a ca-less environment in ipa ? Because its ok for me to only use certificates in web and ldap components. I use freeipa 4.2 , fedora 23. regards, Andreas From rakesh.rajasekharan at gmail.com Fri Jul 29 18:07:02 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Fri, 29 Jul 2016 23:37:02 +0530 Subject: [Freeipa-users] ipa restore from backup on another host Message-ID: Hi, I would like to restore IPA from a backup taken on another host. My use case is to create a new QA environment and dont want to go over the process of recreating all the users. I tried to restore IPA from the backup taken in my first environment . But, that failed with hostname difference issues. Is there a way to get this working. Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Fri Jul 29 16:06:05 2016 From: sipazzo at yahoo.com (sipazzo) Date: Fri, 29 Jul 2016 16:06:05 +0000 (UTC) Subject: [Freeipa-users] certificates expired - won't renew References: <1523620231.6242117.1469808365977.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> I have seen many threads on this so sorry to bring it up again but I have a freeipa domain, with 4 ipa servers running on redhat 6 version 3.0.0-50. The certificates are expired/expiring and will not renew and it is causing many issues for us. I have tried the many suggestions I have see in the archives such as changing the time to prior to expiration and attempting renew by resubmitting the requests but they never renew. An example of getcert list from the first server that expired: Number of certificates and requests being tracked: 8. Request ID '20140618161026': ??? status: CA_UNREACHABLE ??? ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.? Peer certificate cannot be authenticated with known CA certificates). ??? stuck: no ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=idm1-io.example.com,O=EXAMPLE.COM ??? expires: 2016-06-18 00:09:05 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA ??? track: yes ??? auto-renew: yes Request ID '20140618161126': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1-io.example.com:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-pki-ca&serial_num=5&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=CA Audit,O=EXAMPLE.COM ??? expires: 2016-06-06 23:36:29 UTC ??? key usage: digitalSignature,nonRepudiation ??? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??? post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" ??? track: yes ??? auto-renew: yes Request ID '20140618161127': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ocspSigningCert+cert-pki-ca&serial_num=2&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=OCSP Subsystem,O=EXAMPLE.COM ??? expires: 2016-06-06 23:36:28 UTC ??? key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign ??? eku: id-kp-OCSPSigning ??? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??? post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca" ??? track: yes ??? auto-renew: yes Request ID '20140618161128': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=subsystemCert+cert-pki-ca&serial_num=4&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=CA Subsystem,O=EXAMPLE.COM ??? expires: 2016-06-06 23:36:28 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??? post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca" ??? track: yes ??? auto-renew: yes Request ID '20140618161129': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=268304385&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa1.example.com,O=EXAMPLE.COM ??? expires: 2016-06-07 16:11:22 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth ??? pre-save command: ??? post-save command: ??? track: yes ??? auto-renew: yes Request ID '20140618161217': ??? status: NEED_CSR_GEN_TOKEN ??? stuck: yes ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-example-COM/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa1.example.com,O=EXAMPLE.COM ??? expires: 2016-06-18 00:09:05 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv example-COM ??? track: yes ??? auto-renew: yes Request ID '20140618161317': ??? status: CA_UNREACHABLE ??? ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.? Peer certificate cannot be authenticated with known CA certificates). ??? stuck: no ??? key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=idm1-io.example.com,O=EXAMPLE.COM ??? expires: 2016-06-18 00:09:06 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??? track: yes ??? auto-renew: yes Request ID '20140618161338': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ipaCert&serial_num=7&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=IPA RA,O=EXAMPLE.COM ??? expires: 2016-06-06 23:37:09 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??? track: yes ??? auto-renew: yes localhost log in /var/log/pki-ca have errors like:tail localhost.2016-07-29.log Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caProfileSubmit threw exception java.io.IOException: CS server is not ready to serve. ??? at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) ??? at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) ??? at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) ??? at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ??? at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) ??? at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) ??? at org. Debug log in /var/log/pki-cacd ?tail debug [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49) [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database. [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49) [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database. [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException Performing most IPA commands results in errors such as ipa: ERROR: cert validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) Not sure if it is related but we lost our first IPA server some time ago and had to promote another to the CA master. Also, due to someone leaving the company at the beginning of the year we had to change the directory manager password. I followed all the directions to do so but it does not seem like it was a completely smooth transaction. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 29 18:48:24 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2016 14:48:24 -0400 Subject: [Freeipa-users] ipa restore from backup on another host In-Reply-To: References: Message-ID: <579BA4F8.8050707@redhat.com> Rakesh Rajasekharan wrote: > Hi, > > I would like to restore IPA from a backup taken on another host. > > My use case is to create a new QA environment and dont want to go over > the process of recreating all the users. > > I tried to restore IPA from the backup taken in my first environment . > But, that failed with hostname difference issues. > > Is there a way to get this working. Not easily. A backup has the original hostname all over the place: in keytabs, SSL certificates, configuration files, etc. You could do it by naming the QA environment the same as the production host but yeah, that'd be confusing (and dangerous). There is probably a way to do it manually, by pulling apart the backup, grabbing the ldif, massaging it just so and importing it. There may be other configuration changes too to match the running environment. But lots of things _still_ wouldn't work without extra effort: you'd have a separate CA, Kerberos master key, etc. So, for example, none of the entries you imported via the LDIF would work with Kerberos because they'd be signed by the wrong master key (the one from production). Maybe that's ok. It might be death by a thousand cuts as you run into corner case after corner case. If you're ok with a snapshot in time you could install the QA system as a replica of production, then remove the replication agreement, leaving it standalone. You'd need to do this for the CA as well, and probably after the fact configure a DNA range for new entries. rob From william.muriithi at gmail.com Fri Jul 29 20:27:16 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Fri, 29 Jul 2016 16:27:16 -0400 Subject: [Freeipa-users] PKI signing certificate question In-Reply-To: References: Message-ID: Clark, Thank you. > I personally haven't done this, but from https://www.freeipa.org/page/PKI > > "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." > Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one domain without success. Which external CA would be more open to signing this kind of certificate? Lastly, would there be any harm enrolling IPA clients to this server before feeding it the signed certificate ? Regards William -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 29 21:10:52 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2016 17:10:52 -0400 Subject: [Freeipa-users] certificates expired - won't renew In-Reply-To: <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> References: <1523620231.6242117.1469808365977.JavaMail.yahoo.ref@mail.yahoo.com> <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> Message-ID: <579BC65C.9040309@redhat.com> sipazzo wrote: > I have seen many threads on this so sorry to bring it up again but I > have a freeipa domain, with 4 ipa servers running on redhat 6 version > 3.0.0-50. The certificates are expired/expiring and will not renew and > it is causing many issues for us. I have tried the many suggestions I > have see in the archives such as changing the time to prior to > expiration and attempting renew by resubmitting the requests but they > never renew. An example of getcert list from the first server that expired: > > Number of certificates and requests being tracked: 8. [snip] > localhost log in /var/log/pki-ca have errors like: > tail localhost.2016-07-29.log > Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet caProfileSubmit threw exception > java.io.IOException: CS server is not ready to serve. > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at org. > > Debug log in /var/log/pki-cacd > tail debug > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > > > Performing most IPA commands results in errors such as ipa: ERROR: cert > validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > > Not sure if it is related but we lost our first IPA server some time ago > and had to promote another to the CA master. Also, due to someone > leaving the company at the beginning of the year we had to change the > directory manager password. I followed all the directions to do so but > it does not seem like it was a completely smooth transaction. It is related. Your CA can't connect to its database. You must have missed a step when updating the DM password. As a goof I just tried it on my RHEL 6 install and it seems to work, this is what I did: # service dirsrv stop # /usr/bin/pwdhash password edit both /etc/dirsrv/slapd-REALM/dse.ldif and /etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw # service dirsrv start Check both of the new passwords: # ldapsearch -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" # ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" Update internaldb value in /etc/pki-ca/password.conf with the new password. Update and test the admin user password: # ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S uid=admin,ou=people,o=ipaca # ldapsearch -h localhost -ZZ -p 7389 -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base Restart the CA # service pki-cad restart Note that things _still_ aren't going to work so hot with all the expired certs but if you go back in time you will at least have a chance of renewing things. rob From sipazzo at yahoo.com Fri Jul 29 20:09:17 2016 From: sipazzo at yahoo.com (sipazzo) Date: Fri, 29 Jul 2016 20:09:17 +0000 (UTC) Subject: [Freeipa-users] certificates expired - won't renew In-Reply-To: <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> References: <1523620231.6242117.1469808365977.JavaMail.yahoo.ref@mail.yahoo.com> <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1106770349.6314370.1469822957175.JavaMail.yahoo@mail.yahoo.com> Unfortunately this issue suddenly go much worse. I get this error in the UI when trying to view hosts on one of my servers cannot connect to 'https:/ipa1.example.com:443/ca/agent/ca/displayBySerial': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. and this on others:Some operations failed. Hide details Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. From: sipazzo To: "freeipa-users at redhat.com" Sent: Friday, July 29, 2016 9:06 AM Subject: certificates expired - won't renew I have seen many threads on this so sorry to bring it up again but I have a freeipa domain, with 4 ipa servers running on redhat 6 version 3.0.0-50. The certificates are expired/expiring and will not renew and it is causing many issues for us. I have tried the many suggestions I have see in the archives such as changing the time to prior to expiration and attempting renew by resubmitting the requests but they never renew. An example of getcert list from the first server that expired: Number of certificates and requests being tracked: 8. Request ID '20140618161026': ??? status: CA_UNREACHABLE ??? ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.? Peer certificate cannot be authenticated with known CA certificates). ??? stuck: no ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=idm1-io.example.com,O=EXAMPLE.COM ??? expires: 2016-06-18 00:09:05 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA ??? track: yes ??? auto-renew: yes Request ID '20140618161126': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1-io.example.com:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-pki-ca&serial_num=5&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=CA Audit,O=EXAMPLE.COM ??? expires: 2016-06-06 23:36:29 UTC ??? key usage: digitalSignature,nonRepudiation ??? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??? post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" ??? track: yes ??? auto-renew: yes Request ID '20140618161127': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ocspSigningCert+cert-pki-ca&serial_num=2&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=OCSP Subsystem,O=EXAMPLE.COM ??? expires: 2016-06-06 23:36:28 UTC ??? key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign ??? eku: id-kp-OCSPSigning ??? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??? post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca" ??? track: yes ??? auto-renew: yes Request ID '20140618161128': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=subsystemCert+cert-pki-ca&serial_num=4&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=CA Subsystem,O=EXAMPLE.COM ??? expires: 2016-06-06 23:36:28 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad ??? post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca" ??? track: yes ??? auto-renew: yes Request ID '20140618161129': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=268304385&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa1.example.com,O=EXAMPLE.COM ??? expires: 2016-06-07 16:11:22 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth ??? pre-save command: ??? post-save command: ??? track: yes ??? auto-renew: yes Request ID '20140618161217': ??? status: NEED_CSR_GEN_TOKEN ??? stuck: yes ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-example-COM/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa1.example.com,O=EXAMPLE.COM ??? expires: 2016-06-18 00:09:05 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv example-COM ??? track: yes ??? auto-renew: yes Request ID '20140618161317': ??? status: CA_UNREACHABLE ??? ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.? Peer certificate cannot be authenticated with known CA certificates). ??? stuck: no ??? key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=idm1-io.example.com,O=EXAMPLE.COM ??? expires: 2016-06-18 00:09:06 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??? track: yes ??? auto-renew: yes Request ID '20140618161338': ??? status: MONITORING ??? ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ipaCert&serial_num=7&renewal=true&xml=true". ??? stuck: no ??? key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=IPA RA,O=EXAMPLE.COM ??? expires: 2016-06-06 23:37:09 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_httpd ??? track: yes ??? auto-renew: yes localhost log in /var/log/pki-ca have errors like:tail localhost.2016-07-29.log Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caProfileSubmit threw exception java.io.IOException: CS server is not ready to serve. ??? at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) ??? at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) ??? at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) ??? at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) ??? at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) ??? at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) ??? at org. Debug log in /var/log/pki-cacd ?tail debug [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49) [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database. [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49) [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database. [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException Performing most IPA commands results in errors such as ipa: ERROR: cert validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) Not sure if it is related but we lost our first IPA server some time ago and had to promote another to the CA master. Also, due to someone leaving the company at the beginning of the year we had to change the directory manager password. I followed all the directions to do so but it does not seem like it was a completely smooth transaction. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Fri Jul 29 23:06:00 2016 From: sipazzo at yahoo.com (sipazzo) Date: Fri, 29 Jul 2016 23:06:00 +0000 (UTC) Subject: [Freeipa-users] certificates expired - won't renew In-Reply-To: <579BC65C.9040309@redhat.com> References: <1523620231.6242117.1469808365977.JavaMail.yahoo.ref@mail.yahoo.com> <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> <579BC65C.9040309@redhat.com> Message-ID: <253757691.6428616.1469833560661.JavaMail.yahoo@mail.yahoo.com> Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first. This is the expiration output info from my master: [root at ipa2 ~]# ipa-getcert list | grep expires ??? expires: 2016-08-26 16:41:24 UTC ??? expires: 2016-08-26 16:41:23 UTC ??? expires: 2016-08-26 16:41:24 UTC [root at ipa2 ~]# getcert list | grep expires ??? expires: 2016-08-26 16:41:24 UTC ??? expires: 2016-08-15 16:47:26 UTC ??? expires: 2016-08-26 16:41:23 UTC ??? expires: 2016-08-26 16:41:24 UTC ??? expires: 2016-06-06 23:36:29 UTC ??? expires: 2016-06-06 23:36:28 UTC ??? expires: 2016-06-06 23:36:28 UTC ??? expires: 2016-06-06 23:37:09 UTC Again thank you, as always. From: Rob Crittenden To: sipazzo ; "freeipa-users at redhat.com" Sent: Friday, July 29, 2016 2:10 PM Subject: Re: [Freeipa-users] certificates expired - won't renew sipazzo wrote: > I have seen many threads on this so sorry to bring it up again but I > have a freeipa domain, with 4 ipa servers running on redhat 6 version > 3.0.0-50. The certificates are expired/expiring and will not renew and > it is causing many issues for us. I have tried the many suggestions I > have see in the archives such as changing the time to prior to > expiration and attempting renew by resubmitting the requests but they > never renew. An example of getcert list from the first server that expired: > > Number of certificates and requests being tracked: 8. [snip] > localhost log in /var/log/pki-ca have errors like: > tail localhost.2016-07-29.log > Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet caProfileSubmit threw exception > java.io.IOException: CS server is not ready to serve. >? ? ? at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) >? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) >? ? ? at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >? ? ? at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >? ? ? at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) >? ? ? at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >? ? ? at org. > > Debug log in /var/log/pki-cacd >? tail debug > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > > > Performing most IPA commands results in errors such as ipa: ERROR: cert > validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > > Not sure if it is related but we lost our first IPA server some time ago > and had to promote another to the CA master. Also, due to someone > leaving the company at the beginning of the year we had to change the > directory manager password. I followed all the directions to do so but > it does not seem like it was a completely smooth transaction. It is related. Your CA can't connect to its database. You must have missed a step when updating the DM password. As a goof I just tried it on my RHEL 6 install and it seems to work, this is what I did: # service dirsrv stop # /usr/bin/pwdhash password edit both /etc/dirsrv/slapd-REALM/dse.ldif and /etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw # service dirsrv start Check both of the new passwords: # ldapsearch -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" # ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" Update internaldb value in /etc/pki-ca/password.conf with the new password. Update and test the admin user password: # ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S uid=admin,ou=people,o=ipaca # ldapsearch -h localhost -ZZ -p 7389 -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base Restart the CA # service pki-cad restart Note that things _still_ aren't going to work so hot with all the expired certs but if you go back in time you will at least have a chance of renewing things. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Sat Jul 30 08:32:56 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Sat, 30 Jul 2016 14:02:56 +0530 Subject: [Freeipa-users] slow login with freeipa 4.2.0 In-Reply-To: <20160729114028.GO11494@hendrix> References: <20160725174204.GM12570@hendrix> <20160729114028.GO11494@hendrix> Message-ID: Thanks Jakub for the detailed analysis... with those inputs , I was able to nail down the issue. I had migrated this host from openldap to freeipa.. However, nslcd daemon was still running and the sylog pointed me to the error "unable to contact the earlier openldap server" and it spent some time there... So, I stopped nslcd and now logins have improved drastically to around 5s date;ssh testuser at localhost Sat Jul 30 08:09:13 UTC 2016 testuser at localhost's password: Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1 [p-rakeshpillai at prod1-admintools-1c :~] date Sat Jul 30 08:09:18 UTC 2016 For the ipa_hostname entry in sssd.conf, that gets auto populated entered everytime I run ipa-client-install . I run the below command to setup ipa client ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom --realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4 --no-ssh --no-sshd -N -f -U Notice that, In the hostname argument, I am passing the IP address. Hope thats fine, its actually working fine on around 2000+ servers in my environment. I had earlier tried with servername.domain ( qa-test1.yyz.com as the hostname ) and my servers hostname would get changed to qa-test1.yyz.com . However, we do our deployments on glassfish and glassfish somehow started having issue everytime we restart glassfish ( not an expert with glassfish ) so not sure whats wrong there. With this approach , my hostname is now my ipaddress and things are working fine both at galssfish and IPA side. But just want to confirm its ok to do that Thanks, Rakesh On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek wrote: > On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote: > > > Any change that it's running on a VM? If so, check your entropy: > > > > > cat /proc/sys/kernel/random/entropy_avail > > > > > If it's low (like < 1k), install haveged. > > > > this indeed is vm , am running it on azure . However, I have a similar > set > > up running on aws which works completely fine > > Sorry about the delay in replying.. > > > > > The entropy was low, around 180, I installed haveged and now its above 3k > > cat /proc/sys/kernel/random/entropy_avail > > 3178 > > > > The timing though is still the same around 19s > > I have some comments inline about the config and logs. > > > > > @jakub, i am reattaching the logs. > > > > The dns resoltion seems fast when I check using dig > > > > below is my sssd.conf > > [domain/xyz.com] > > selinux_provider=none > > krb5_auth_timeout = 20 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = xyz.com > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ldap_tls_cacert = /etc/ipa/ca.crt > > ipa_hostname = 10.65.16.4 > > The ipa_hostname value is wrong. It's meant for systems where hostname > reports a different name that what is the name the host is registered as > in IPA. Including an IP address there doesn't make much sense. > > > chpass_provider = ipa > > ipa_server = ipa-master-in.xyz.com > > dns_discovery_domain = xyz.com > > ignore_group_members=True > > ldap_purge_cache_timeout = 0 > > debug_level=8 > > [sssd] > > services = nss, sudo, pam, ssh > > config_file_version = 2 > > > > domains = xyz.com > > [nss] > > homedir_substring = /home > > > > [pam] > > pam_id_timeout = 3 > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > [ifp] > > > > > > > > And here is the login times and logs > > > > [root at ipa-client-1 :~] date;ssh testuser at localhost > > Tue Jul 26 12:06:37 UTC 2016 > > testuser at localhost's password: > > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1 > > [testuser at ipa-client-1 :~] date > > Tue Jul 26 12:06:55 UTC 2016 > > > > > > sssd_domain logs > > > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > > org.freedesktop.sssd.dataprovider.getAccountInfo on path > > /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info] > > (0x0200): Got request for [0x3][1][name=testuser] > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > [sdap_get_initgr_next_base] > > (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] > > --> A request for user's groups arrived. > > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] > > (0x2000): Searching 10.65.16.4 > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] > > (0x0400): calling ldap_search_ext with > > > [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] > > (0x1000): Requesting attrs: [objectClass] > > [...] > > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > > (0x0100): Request processed. Returned 0,0,Success (Success) > > ---> Here the request for user's groups finished. It took about a second > in total. > > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler > > on path /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] > (0x0100): > > Got request with the following data > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > command: SSS_PAM_PREAUTH > > Preauthentication checks for available login methods... > > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Backend returned: (0, 0, ) [Success (Success)] > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Sending result [0][xyz.com] > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Sent result [0][xyz.com] > > ---> Here the preauth request finished, within a second. > > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler > > on path /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] > (0x0100): > > Got request with the following data > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > command: PAM_AUTHENTICATE > > ---> Authentication request is recieved. > > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [krb5_auth_queue_done] > > (0x1000): krb5_auth_queue request [0x7f88d1142ab0] done. > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Backend returned: (0, 0, ) [Success (Success)] > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Sending result [0][xyz.com] > > (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Sent result [0][xyz.com] > > Here the authentication finished successfully, again within a second.. > > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path > > /org/freedesktop/sssd/service > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler > > on path /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] > (0x0100): > > Got request with the following data > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > command: PAM_ACCT_MGMT > > ---> Access control request is received > > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [ipa_hbac_evaluate_rules] > > (0x0080): Access granted by HBAC rule [allow_all] > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Backend returned: (0, 0, ) [Success (Success)] > > --> User is granted access, we're within two seconds from the first > request, still. > > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0400): SELinux provider doesn't exist, not sending the request to it. > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Sending result [0][xyz.com] > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > > (0x0100): Sent result [0][xyz.com] > > --> The selinux provider is disabled and quits immediately. > > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > command: PAM_SETCRED > > (Tue Jul 26 12:06:42 2016) [sssd[be[xyz.com]]] [be_pam_handler] > (0x0100): > > Sending result [0][xyz.com] > > --> The setred PAM target does nothing, just returns success. > > ...And there nothing happens for 10 seconds, at least not in this log. > Is there any activity in the other SSSD logs in the meantime? > > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path > > /org/freedesktop/sssd/service > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > > org.freedesktop.sssd.dataprovider.getAccountInfo on path > > /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [be_get_account_info] > > (0x0200): Got request for [0x3][1][name=testuser] > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Tue Jul 26 12:06:52 2016) [sssd[be[xyz.com]]] > [sdap_get_initgr_next_base] > > (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] > > ...Until a request for user groups arrives here.. > > > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > > (0x0100): Request processed. Returned 0,0,Success (Success) > > ---> Is processed here. > > > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_message_handler] > > (0x2000): Received SBUS method > org.freedesktop.sssd.dataprovider.pamHandler > > on path /org/freedesktop/sssd/dataprovider > > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > > (0x2000): Not a sysbus message, quit > > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [be_pam_handler] > (0x0100): > > Got request with the following data > > (Tue Jul 26 12:06:53 2016) [sssd[be[xyz.com]]] [pam_print_data] > (0x0100): > > command: PAM_OPEN_SESSION > > And the session for the user is opened here. > > So my conclusion from the logs is that the delay is not within SSSD. The > next things I would check are: > - are there any other NSS modules in nsswitch.conf except sss and > files? > - is there any other PAM module in the PAM stack except pam_sss.so > and pam_unix and those that you would expect after IPA client > installation? > - is there anything in syslog/journal? > - if you increase the SSHD debug level, is there anything of > interest in the SSHD log? > - if you strace sshd (make sure to strace the child processes also > and include the -tt flag to see the timestamps with a high > resultion), do you see any delay there? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Sat Jul 30 09:29:20 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Sat, 30 Jul 2016 14:59:20 +0530 Subject: [Freeipa-users] sssd shows deleted users as well In-Reply-To: <20160729133538.GZ1586@redhat.com> References: <20160722082829.GC22052@10.4.128.1> <20160722084148.GV20343@hendrix> <20160729133538.GZ1586@redhat.com> Message-ID: Thanks Jan.. I will give that a try On Fri, Jul 29, 2016 at 7:05 PM, Jan Pazdziora wrote: > On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > > My specific requirement for having "enumerate=TRUE" was , we have a build > > server with the jenkins set up. > > And for authentication jenkins tries to get the localusers on the system. > > > > I should be able to get through that by configuring Jenkins to use LDAP > > instead of the local users. > > Alternatively you could use Apache HTTP frontend for authentication > per > > > https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security > > and use for example mod_authnz_pam configured with PAM service > that pam_sss.so / SSSD will handle. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard.harmonson at gmail.com Sun Jul 31 05:45:53 2016 From: richard.harmonson at gmail.com (Richard Harmonson) Date: Sat, 30 Jul 2016 22:45:53 -0700 Subject: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates Message-ID: I having challenges resuming ipa-server-install --external-ca. I am reasonably confident I am not providing the right certificate and/or format from my off-line root CA using 389 and Dogtag. Does anyone have instructions on how to accomplish the task of exporting the correct certificates in the expected format? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sipazzo at yahoo.com Sun Jul 31 19:24:18 2016 From: sipazzo at yahoo.com (sipazzo) Date: Sun, 31 Jul 2016 19:24:18 +0000 (UTC) Subject: [Freeipa-users] certificates expired - won't renew In-Reply-To: <253757691.6428616.1469833560661.JavaMail.yahoo@mail.yahoo.com> References: <1523620231.6242117.1469808365977.JavaMail.yahoo.ref@mail.yahoo.com> <1523620231.6242117.1469808365977.JavaMail.yahoo@mail.yahoo.com> <579BC65C.9040309@redhat.com> <253757691.6428616.1469833560661.JavaMail.yahoo@mail.yahoo.com> Message-ID: <553193028.7011450.1469993058846.JavaMail.yahoo@mail.yahoo.com> I set time back on master ca and was able to renew its certs except for one that has yet to expire but should have renewed. I tried to resubmit it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do have a go daddy cert we use as well but it is valid still. Is it because of the nickname mismatches? I am not sure how to fix that. ipa1-example.com Request ID '20140729215756': ??? status: NEED_CSR_GEN_TOKEN ??? stuck: yes ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa1.example.com,O=EXAMPLE.COM ??? expires: 2016-07-29 20:39:21 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM ??? track: yes ??? auto-renew: yes certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ Certificate Nickname???????????????????????????????????????? Trust Attributes ???????????????????????????????????????????????????????????? SSL,S/MIME,JAR/XPI NWF_GD?????????????????????????????????????????????????????? u,u,u CN=Certificate Authority,O=EXAMPLE.COM????????????????? ??? CT,,C OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US CT,,C GD_CA??????????????????????????????????????????????????????? CT,,C CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C certutil -L -d /etc/dirsrv/slapd-PKI-IPA/ Certificate Nickname???????????????????????????????????????? O=EXAMPLE.COM???? Trust Attributes ???????????????????????????????????????????????????????????? SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA????????????????????????????????????? ??? CT,C, Server-Cert????????????????????????????????????????????????? u,u,u certutil -L -d /etc/httpd/alias/ Certificate Nickname???????????????????????????????????????? Trust Attributes ???????????????????????????????????????????????????????????? SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA?????????????????????????????????????????? CT,C, ipaCert????????????????????????????????????????????????????? u,u,u Server-Cert????????????????????????????????????????????????? u,u,u My other servers had varying degrees of success with their expired certificates, I have one server that would not renew 6 of its certs, 1 that would not renew 2 of its certs and 1 that would not renew 1 of its certs. These are examples of the last two - I will save the one that won't renew 6 as I am hoping I can apply same steps to those failures. ipa2.example.com - 2 won't renew - one CA_unreachable even after successful restart of services and one NEED_CSR_GEN_TOKEN Request ID '20140729215756': ??? status: NEED_CSR_GEN_TOKEN ??? stuck: yes ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa2.example.com,O=EXAMPLE.COM ??? expires: 2016-07-29 20:39:21 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM ??? track: yes ??? auto-renew: yes Request ID '20140729215712': ??? status: CA_UNREACHABLE ??? ca-error: Error 60 connecting to https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. ??? stuck: no ??? key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set ??? certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' ??? CA: dogtag-ipa-renew-agent ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa2.example.com,O=EXAMPLE.COM ??? expires: 2016-07-18 21:57:06 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth ??? pre-save command: ??? post-save command: ??? track: yes ??? auto-renew: yes ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN Request ID '20140729215511': ??? status: NEED_CSR_GEN_TOKEN ??? stuck: yes ??? key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' ??? certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' ??? CA: IPA ??? issuer: CN=Certificate Authority,O=EXAMPLE.COM ??? subject: CN=ipa3.example.com,O=EXAMPLE.COM ??? expires: 2016-07-29 20:38:41 UTC ??? key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment ??? eku: id-kp-serverAuth,id-kp-clientAuth ??? pre-save command: ??? post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM ??? track: yes ??? auto-renew: yes From: sipazzo To: Rob Crittenden ; "freeipa-users at redhat.com" Sent: Friday, July 29, 2016 4:06 PM Subject: Re: [Freeipa-users] certificates expired - won't renew Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first. This is the expiration output info from my master: [root at ipa2 ~]# ipa-getcert list | grep expires ??? expires: 2016-08-26 16:41:24 UTC ??? expires: 2016-08-26 16:41:23 UTC ??? expires: 2016-08-26 16:41:24 UTC [root at ipa2 ~]# getcert list | grep expires ??? expires: 2016-08-26 16:41:24 UTC ??? expires: 2016-08-15 16:47:26 UTC ??? expires: 2016-08-26 16:41:23 UTC ??? expires: 2016-08-26 16:41:24 UTC ??? expires: 2016-06-06 23:36:29 UTC ??? expires: 2016-06-06 23:36:28 UTC ??? expires: 2016-06-06 23:36:28 UTC ??? expires: 2016-06-06 23:37:09 UTC Again thank you, as always. From: Rob Crittenden To: sipazzo ; "freeipa-users at redhat.com" Sent: Friday, July 29, 2016 2:10 PM Subject: Re: [Freeipa-users] certificates expired - won't renew sipazzo wrote: > I have seen many threads on this so sorry to bring it up again but I > have a freeipa domain, with 4 ipa servers running on redhat 6 version > 3.0.0-50. The certificates are expired/expiring and will not renew and > it is causing many issues for us. I have tried the many suggestions I > have see in the archives such as changing the time to prior to > expiration and attempting renew by resubmitting the requests but they > never renew. An example of getcert list from the first server that expired: > > Number of certificates and requests being tracked: 8. [snip] > localhost log in /var/log/pki-ca have errors like: > tail localhost.2016-07-29.log > Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet caProfileSubmit threw exception > java.io.IOException: CS server is not ready to serve. >? ? ? at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) >? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) >? ? ? at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >? ? ? at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >? ? ? at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) >? ? ? at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >? ? ? at org. > > Debug log in /var/log/pki-cacd >? tail debug > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > > > Performing most IPA commands results in errors such as ipa: ERROR: cert > validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > > Not sure if it is related but we lost our first IPA server some time ago > and had to promote another to the CA master. Also, due to someone > leaving the company at the beginning of the year we had to change the > directory manager password. I followed all the directions to do so but > it does not seem like it was a completely smooth transaction. It is related. Your CA can't connect to its database. You must have missed a step when updating the DM password. As a goof I just tried it on my RHEL 6 install and it seems to work, this is what I did: # service dirsrv stop # /usr/bin/pwdhash password edit both /etc/dirsrv/slapd-REALM/dse.ldif and /etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw # service dirsrv start Check both of the new passwords: # ldapsearch -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" # ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" Update internaldb value in /etc/pki-ca/password.conf with the new password. Update and test the admin user password: # ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S uid=admin,ou=people,o=ipaca # ldapsearch -h localhost -ZZ -p 7389 -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base Restart the CA # service pki-cad restart Note that things _still_ aren't going to work so hot with all the expired certs but if you go back in time you will at least have a chance of renewing things. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: